Sloppy security behind Pfizer hack?
Like all drug firms with a Facebook presence, Pfizer lost some control in August when Facebook opened up pharma company pages to public commenting. But that was relatively mild compared to the loss of power it suffered in July at the hands of a group of hackers calling themselves the Script Kiddies.
During their brief takeover of Pfizer's Facebook page, no confidential information about the company or any individuals were at risk, said Pfizer, which has been in contact with Facebook to “understand how this incident occurred to ensure it doesn't happen again.”
Contrary to reports that Facebook was the source of the breach, Graham Cluley, senior technology consultant at worldwide computer security firm Sophos, told MM&M that traces left by the cyber thugs make it unlikely the social network was responsible for the illict entry.
Their online graffiti included a link to the profile of an employee of San Francisco-based WCG, the PR firm which, according to the agency's website, handles some corporate communications and interactive duties for Pfizer. (The employee's LinkedIn profile lists Pfizer as a social media client.)
“My suspicion is this page got hacked because [the employee] was sloppy with his security,” Cluley said. “If I were investigating this hack, the very first thing to do would be to look at the security of the page's administrators and in particular their passwords. That's where my money would be.”
He speculated that, if the employee referred to was in fact the system administrator for Pfizer's Facebook page, and his name and password had been hacked and already posted elsewhere online (hacktivist gangs such as LulzSec and Anonymous often post stolen passwords on a site called Paste Bin), the hackers could have found it and used it to open the Facebook account.
A Facebook spokesperson said the company doesn't comment on specific cases.