Companies can learn from the Tylenol-Cyanide case

Mar.05, 2009 in Cryptography, Disclosure, Privacy, Security Management

The Incident

In 1982 Johnson & Johnson the company making Tylenol had to contend with a major financial and image problem when contaminated Tylenol capsules caused the deaths of 7 people. Investigators discovered that someone had filled Tylenol capsules with solid cyanide compound and replaced the original Tylenol bottles with poisoned ones in some supermarkets and drug stores.

What is noteworthy is the series of actions taken by Johnson & Johnson. It distributed warnings to hospitals and distributors and stopped Tylenol production and advertising, issued a nationwide recall of Tylenol products with an estimated retail value of over US$100 million. The company also asked the public not to consume any products containing Tylenol. “When it was determined that only capsules were tampered with, they offered to exchange all Tylenol capsules already purchased by the public with solid tablets.” In the middle of the scare, the market share of Tylenol shrunk from “35% to 8% but it rebounded in less than a year a move credited to J&J’s prompt and aggressive reaction”.

What is the lesson?

I think most service providers can learn a lot from the approach of being proactive about breach disclosure, being open and honest with the public and actually doing something about the vulnerability that caused the breach in the first place.
This is especially true for companies in the EU which are not mandated to notify users of compromised data.

Granted the Tylenol case involved human life so the public/media reaction will always be bigger but the principle is the same.

Spotify is adopting a similar strategy keeping track of concerned users comments on their blog and addressing them. From the user comments, it is clear that many are understandably not happy but I also read quite a number that were pleased with effort being made to address their concerns. For a small company and the nature of the breach, they have done what many credit-card-number-storing companies failed to do.

Notes:
1. Dont store more information than NECESSARY
2. Notify users early and have mitigating plans before crises boils over
3. Be open and honest with the public
4. Encourage users to use strong passwords
5. Actually DO something about the vulnerability

Share, its free!

Welcome

This blog is about Security Monitoring & Auditing, Identity and Access Management, Web Application Security & Pentesting, Cyber Crime, Digital Forensics and everything in between - Too many? Are you kidding?!

Tags
Auditing Authentication Beautiful Thinking Biometrics Book Reviews Buffer Overflow Checklists Compromise Corporate Espionage Cross Site Scripting Cryptography Cyber-Crime Data Loss Digital Forensics Disclosure DRM Exploit Forensics Funny Hacked Identity Intrusion IT Law Linux Malware Music P2P Pentesting Privacy Secure Design Security Breach Security Education Security Management Security Monitoring Security Tools Virtualization Vulnerabilities
Archives
- April 2009 (5)
- March 2009 (12)
- February 2009 (7)
- December 2008 (11)
- November 2008 (24)
Calendar
July 2009

M T W T F S S

« Apr

1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30 31
Blogroll

The Security Eunoia

Blogging about Security Auditing, IdM & Access Mgmt, Web App Security etc