Subterfuge by Tweet: An Analysis of Twitter’s Crisis Response

Late last week, Twitter co-founder Evan Williams reported that his personal Twitter account, email account, and the emails accounts of both his wife and another Twitter employee were all hacked as a way to gain access to private company documents (including projections and plans for next quarter). Those documents were picked up by several magazines and blogs and, ironically, made twitter’s security one of the most popular search items of the day.

This level of Twitter infiltration has been anticipated by a number of industry expert—the Twitter business model, combined with unequaled growth in this space, means that they have been particularly susceptible to online attacks. In fact, Twitter is fortunate that this security breach didn’t directly impact its users, only its leadership. Twitter has grown nearly 2,000% over the last year alone; one of the most common causes of business failure is growing too quickly, moving too fast and becoming unable to deliver for users in the same capacity.

Twitter’s business model hasn’t lent itself to security, either. Twitter based itself on the “megaphone” model, rather than the “campfire” business model that saw success in Facebook and other social networking Web sites. Facebook was designed to promote Harvard only, then a few select Ivy Leagues, and then, gradually, universities across the country. It built a reputation through exclusivity.

The last model similar to Twitter was the blog, which requires much more effort to maintain and is still less open to the public than Twitter. Twitter encouraged everyone to come on board and shout as loudly as they could along the way—an excellent initial model, but not structured enough to ensure the identities of accounts or security protocols.

Fortunately, what Twitter lacks in security preparedness it more than makes up for with excellent crisis communications. The actual attack occurred over a month ago, and the Twitter leadership decided against fanning the flames until they were certain it would become an issue. If Twitter had raised the crisis flag and attempted to be more proactive in informing constituents about it, they would have run the risk of raising questions unnecessarily. They created a plan in-house and were lucky enough to have a month to prepare for the first pirated documents to reach TechCrunch.

Once those documents were submitted and the first rumor spread of a security breach, Twitter responded almost immediately on the official Twitter blog, following the #1 rule of crisis communications: tell the truth and tell it first. Eighteen to 24 hours is no longer an acceptable timeframe, and Twitter’s listening program made it possible to anticipate when the public would catch wind of the hacked accounts, particularly within their own communities (Cision now monitors the Twitter accounts of journalists for this reason, and dna13 monitors over 40 million blogs as part of their listening platform).

The most important message in the Twitter crisis response is that the pirated documents would have no impact on the users—they understood that users cared about their security first and assured the public that none of the documents held information about Twitter users or Twitter security information. This was an important message, especially after several celebrities’ Twitter accounts were hacked earlier this year.

User security is going to become an even more hot-button issue as Web applications gain popularity in the business arena. The caveat emptor of social media is that everything we do online is traceable—even “private” profiles on Facebook are not permission-based and can be forwarded to employers or clients. The law says that Internet providers like Explorer, Mozilla Firefox, and Safari are not responsible for the content or actions of a user group. Craigslist used the same defense recently in their information monitoring and sharing trial. Johnson & Johnson’s Marc Monseau has talked about the dilemma of separately tweeting on personal and business accounts; he warns that we are “always on”.

Nonetheless, Web-based businesses and social networking sites must respond to the pressure users place on privacy and security by listening to their communities and responding accordingly. While Twitter failed to create a platform that successfully manages security risks, its ability to market itself as a perpetual “beta” program and respond to crises successfully means that, one week later, the same record number of tweeters are still tweeting, 140 characters at a time.

Mike Smith is CEO and Ashley Houghton is an Account Supervisor at Michael Smith Business Development. Follow Mike Smith and Ashley Houghton on their Twitter accounts, @SmittyPA and @PRYouReady.