When an airline engages in third party social applications - most notably Facebook and Twitter - they surrender a huge amount of control over to the applications without the privilege of auditing their security, or indeed the luxury of making suggestions for modifications that best suit the airline social agenda. Engaging in these applications is of course the lesser of two evils, since refraining from that measure of engagement with their audience is a serious blow to their brand exposure.
United Airlines found out the hard way that somebody may use their established and respected brand for unlawful purposes. Hackers gained access to the United Airlines twitter account last Friday and used an opaque truncated URL (third party of course) to direct 60-odd-thousand users to a site that potentially could have taken advantage of browser vulnerabilities, or perhaps encouraged users to surrender personal details. In this instance, the nature of the message was worded in such a way that identified it as an unauthorized tweet, but what would have happened if the hackers had of said "70% of all airfares for the next 30 minutes"? How many users would have followed that link? The actual tweet directed users to a web page selling a male 'enhancement' product. This rules the pilots out of the suspect pool, of course, since they don't use such things. Cabin crew? Perhaps.
From personal experience, I'm seen some airlines use simple (and often generic) passwords so multiple stakeholders can log into the same account with ease. Remember, Twitter is usually managed by the often IT illiterate marketing staff so their security awareness is often somewhat questionable. A good password uses up the maximum permissible characters allowed and includes a random combination of alphanumeric characters and symbols. Many online twitter applications allow an account to be assigned to particular users... but this will potentially multiply the number of access points that can be hacked to gain control over an account. Using an in-house API driven application can reduce the risks, but this may also limited the level of functionality- unless purpose built software is made.
Will a Hacked Tweet Affect Your Brand?
When you tweet a message or URL on Twitter, the customer is visiting that link on your advice - not unlike a spoken recommendation. A poor choice of link won't necessarily reflect poorly on the destination page, but you will be personally blamed for your poor judgment, and an airline brand could potentially be damaged.
The United Airlines hack didn't necessarily reflect poorly on United since it was so clearly an unauthorised message (although I'm sure there are plenty of people who followed the link out of naivety, neglect or curiosity). However, if it were established that it was carelessness in United's own security that facilitated the breach, it's possible that they might be accountable.
How to Respond to a Hack or Unauthorised Tweet
What did United Airlines do? They deleted the offending message 1 hour and 6 minutes after it was posted (quite a long time). They simply tweeted a quick apology and thanked those that brought it to their attention. Damage undone, really. Be quick to delete the offending data, be apologetic to all your users, and be thankful to those that reported it..
One the same day of the United incident, I got a direct (Twitter) message from our friends at, @FlyingBrussels directing me to website that was sexual in nature.
... and then the apology: