Lessons Learned From HMV's Very Public Twitter Meltdown

When entertainment giant HMV's Twitter account was hijacked by a 21-year-old intern, the world took notice. HootSuite CEO Ryan Holmes outlines the growing security demands of sensitive social media accounts.

At 9:45 a.m. last Thursday morning, the first of an unlikely series of messages went out from the official Twitter account at HMV, the global entertainment retailer with 7,000 workers and more than $1.5 billion in annual revenue.

"We’re tweeting live from HR where we’re all being fired! Exciting!! #hmvXFactorFiring," read the initial message from @HMVtweets, sent to the company’s more than 70,000 Twitter followers around the globe. Earlier that morning, some 60 employees at the 91-year-old company had been sacked in a round of downsizing. One of them had hijacked the official Twitter account to vent her frustrations. A difficult day was about to get worse.

In the course of seven subsequent tweets, Poppy Rose Cleere, the company’s newly axed 21-year-old online marketing and social media planner, aired HMV’s dirty laundry to the world: the "mass execution" of loyal workers; gross mismanagement at the head office; unpaid, illegal interns. She even got in a jab at her own social-media-challenged boss: "Just overheard our Marketing Director (he’s staying, folks) ask ‘How do I shut down Twitter?’ " she tweeted.

By the time the director finally regained control of HMV’s hijacked account and deleted the offending messages, the damage had already been done. The tweets had gone viral—shared thousands of times all over the world in a matter of minutes. The blogosphere was the first to take notice, running breathless posts about the rogue Twitter account. By the next morning, HMV’s "live-tweeted firing" had made headlines in nearly every major newspaper on both sides of the Atlantic. For the company—newly entered into bankruptcy protection and struggling to regain market share from online retailers—the PR debacle could hardly have come at a more inopportune time.

The worst part: None of it had to happen.

The Social Media Security Gap

In the aftermath, online experts and digerati have maligned HMV for leaving its social media in the hands of an entry-level hire. But the company is hardly alone in failing to safeguard its social media accounts. Many of the planet’s largest enterprises, in fact, remain just as vulnerable. For years, software tools known as social media management systems have been around for managing and protecting corporate social media assets (my company, HootSuite, is one of them). In many ways, not using one is equivalent to not bothering to password-protect your email. But few companies have opted in.

Why? Corporate protocol simply hasn’t kept pace with the speed of social media changes. Nearly overnight, social media has gone from dorm room toy to boardroom tool. Just a few years ago, only the most progressive companies dabbled with Twitter and Facebook, mainly as a soft, community-building channel. Today, 73 percent of Fortune 500 companies have Twitter accounts, and social media is a staple of corporate strategy, forecast to unlock some $1.3 trillion in value in the years ahead.

As the HMV fiasco shows, however, major enterprises are still delegating social media responsibilities to interns. Even companies with dedicated social media teams rarely have the proper tools or policies in place. Passwords to company accounts—which may be followed by thousands, even millions, of users—are routinely handed out to entry-level employees. Meanwhile, social media messages are posted without any fixed workflow or approval system.

It’s worth noting here that the Twitter and Facebook followings at large consumer brands can exceed the population of small-to-mid-size countries (Organic grocer Whole Foods has more than 3 million Twitter followers; Coca-Cola has nearly 59 million Facebook fans). Delegating that kind of authority to junior employees—with few or no checks or balances in place—can amount to courting disaster. HMV’s rogue tweeter, Cleere, pointed out as much. "I hoped that today's actions would finally show them [senior management] the true power and importance of Social Media," she explained afterward on her own Twitter account, @poppy_powers, "and I hope they're finally listening."

Wake-up Call

So, for companies who suddenly are listening—and concerned—what now? Getting rid of social media altogether is hardly an option. I work with 79 of the world’s Fortune 100 companies and none of them are prepared to give up the competitive advantage of social media; even conservative financial institutions like Goldman Sachs now tweet to their clientele. Instead, the key is to mitigate social media risks in the office. And the right technology can play a big role. Here’s a look at simple steps to avert an HMV-scale social-media disaster:

  • Centralize social media channels: Audits of large enterprises like HMV routinely turn up dozens of ad hoc social media accounts, started by interns or community managers in multiple departments (often without official permission), each with their own managers, passwords and followings. A critical first step is consolidating these accounts into a single social media management system. These tools bring all social channels—Twitter, Facebook, LinkedIn, etc.—into one interface for easy monitoring and oversight. They also allow for better tracking the results of social media campaigns. Had HMV’s social channels been centrally monitored, the offending tweets may never have had a chance to go viral.

  • Control access through limited permissions: As HMV’s Twitter crisis makes clear, letting employees have all-access passes to a company’s social media accounts carries big risks. A safer solution is to give junior employees limited permission to draft messages, which can then be fed into an approval queue for senior management to sign off on before publishing. As little as a year ago, it was nearly impossible to find a social media management tool with this critical feature. My team built one, enabling companies to assign discrete permission levels on an employee-by-employee basis. This simple functionality could have averted disaster for HMV.

  • Get a handle on passwords: Equally critical is having a master switch for turning on and off employees’ access to different social-media accounts. Case in point: While HMV’s marketing manager struggled to "shut down" Twitter, a half-dozen additional incriminating tweets were fired out. The solution: single sign-on technology. Incorporated into enterprise-grade social media tools, single sign-on enables employees to log into social media accounts with the same username and password used for their company email account. Access can be turned on or off by a central administrator, who holds the real "keys" to the company’s social profiles.

Attitude Shift

Of course, technology is only as good as the people using it. Employees are in desperate need of social media training: on everything from the nuts and bolts of tweeting and posting to how to leverage social media for business strategy. And, more often than not, resistance still comes from the top—senior executives who think Twitter is just a distraction for sharing snapshots of lunch, not a tool for courting clients and building the customer base.

As HMV’s rogue tweeter—who began the company’s social media initiative as an intern just two years ago—points out, awareness remains half the battle. "Since my internship started, I worked tirelessly to educate the business of the importance of Social Media—not as a short-term commercial tool, but as a tool to build and strengthen the customer relationship, and to gain invaluable real-time feedback from the consumers that have kept us going for over 91 years," Cleere tweeted from her personal account. "While many colleagues understood and supported this, it was the more senior members of staff who never seemed to grasp its importance."

Chances are, they do now—at least the ones who still have jobs after last week's social media meltdown.

Ryan Holmes (@invoker) is the CEO of HootSuite, a social media management system with nearly five million users, including 79 of the Fortune 100 companies.

[Image: Flickr user Vanlal Tochhawng]

Add New Comment

7 Comments

  • anonymous

    Recently left job where I managed social media accounts, including having been the individual who set up our HootSuite account, over 2 yrs ago.

    Took management upwards of 2 weeks to figure out how to revoke my access. If I had wanted to be malicious, I totally could have been, but that's just not my style.

    As Ryan says, there is a serious education gap, but unlike other specialized fields where management might not understand the field (example: engineers are not always managed by engineers, but sometimes businessmen), there is also often a lack of respect for, interest in or availability of commensurate pay to accompany the specialization.

    One of my memories of my past workplace was a meeting during which I was presenting on digital strategies to a team including our divisional Director.

    I moved to the next point on the agenda, listed as: "#x. SEO/SMO," and said something along the lines of, "and that brings us to SEO..." Before I could proceed, the Director interrupted me, and in a very condescending tone, said, "We already have some SEO's. I think we have enough of them. We don't need any more. Let's move on."

    I'm sure many of us who have managed social media have similar stories about managers who not only have no desire to learn about a technology that isn't going away, but are deathly afraid of having to even discuss it. 

    Turns out the Director mentioned--who also denied my request for a raise/ promotion--was sacked today. Karma's a bitch, sometimes, I guess.

  • Mmeeks325

    Twitter can be a good tool to open doors when used correctly but given that a tool that started with so few people has grown to a major player in the world market it has to be handled correctly and management within companies need to prevent things like this at there level as with all things when they grow to a size that makes governments intervene and not in this case but have in the past with other social media networks and news companies throw bad publicity about it then it affects the people that use it with new rules and such all i say is a lesson learnt   for the rest of us.

  • Guest

    She wasn't an intern. She'd had control of the account since she was an intern, but clearly had a title and a position at HMV when she was sacked.

  • DaveO from HootSuite

    Working with Ryan at HootSuite, i can attest to the disregard many major brands and government organizations have for social media – which IMO often acts as a handy excuse for "not doing it" despite overwhelming evidence to utility of these tools and tactics. 

    Keep in mind, junior employees and interns are an incredibly important resource for ideation, reviewing campaign resonance, drafting copy etc., but keys to the bus is a whole other conundrum. Indeed, you cannot spell "Internet" without intern. At HootSuite, of course we eat our own dog food managing dozens of international social profiles, each with a mandate, a password process, and a distinct workflow for review and approvals. We've seen the damage of rogue tweets and don't wish that fallout on anyone. 

  • david carlson

    I don't think the account was "hacked" or "hijacked".  The authorized user used the account.  Hacking implies illegal access - her access was authorized by the company.

  • The Urban Daddy

    The question I have is this;

    Publicity aside, will people stop purchasing products at HMV because a recently-terminated employee shared her thoughts with the world?  I'm a pretty sensitive guy to companies, organizations and people who are taking advantage of others or doing something illegal, but a bankrupt company terminating employees seems like a fiscally prudent thing to do (albeit too late), so that tells me HMV is trying to get their house in order.

    Am I way off base???