News

← Home / News

Every crisis leaves lessons behind.

In our monthly Crisis Series, Phoenix Resilience examines real-world events and the decisions that influenced their outcomes.

This month, we explore Malevolence - from product tampering to cyberattacks - and what leaders can learn to better prepare for, respond to, and recover from intentional acts of harm.

The Crisis Series: Malevolence

tylenolnewspaper
Front page of The Daily Pantagraph, October 1982, announcing the crisis. Image from pantagraph.com

Seven people in the Chicago area died after consuming Tylenol capsules poisoned with potassium cyanide.

A trusted pain reliever had been turned into an instrument of malevolence.

The perpetrator had taken bottles from store shelves home with them, replaced the contents of the capsules with potassium cyanide then returned the bottles to store shelves ready for purchase.

In 1982, tamper evident packaging was not used for over-the counter medications, making execution of the crime relatively simple.

Johnson & Johnson, the producers of Tylenol, suddenly faced a crisis driven by intentional external hostility.

In The Crisis Manager, Dr. Otto Lerbinger defines a crisis of malevolence as a situation in which “opponents or miscreant individuals use extreme and often criminal tactics for the purpose of expressing hostility toward, or seeking gain from, a company, country or economic system, perhaps with the aim of destabilising or destroying it.”

These acts of malevolence can come from internal and external sources.

External Source: Tylenol Murders

tamperresistantpress
Johnson & Johnson held a nationwide news conference on 11 November 1982 to announce Tylenol’s new tamper-resistant packaging. Photo from chicagotribune.com

The 1982 Tylenol tampering crisis is one of the most studied examples of external malevolence.  

The perpetrator’s identity and motives were never established, with theories including stock manipulation or extortion.  

But Johnson & Johnson responded with speed and transparency. 

The company halted production and advertising of Tylenol, issued nationwide warnings, voluntarily recalled millions of bottles of the drug at a cost of over US$100 million, offered free of charge exchanges for safer solid tables, established a hotline for concerned customers, and developed industry standard tamper evident packaging.

In his media communications, CEO James Burke prioritised consumer safety and collaborated openly with authorities. 

Despite taking a massive short-term financial hit and suffering a temporary collapse in market share, Johnson & Johnson’s approach enabled Tylenol to regain most of its market share within months and set a benchmark for effective crisis management.

External Source: Strawberry Contamination

strawberrys
Strawberries sold in major Australian supermarkets were contaminated with needles in 2018. Photo from bbc.com

The Australian strawberry needle contamination crisis is another example of external malevolence. 

In September 2018, sewing needles were discovered in punnets of strawberries sold by major retailers, resulting in 186 reported cases of contamination across multiple states. 

Coles, Woolworths, and Aldi pulled strawberries from shelves nationwide, and authorities issued public warnings. 

The Queensland Government offered AU$100,000 rewards for information and announced a AU$1 million assistance package for affected growers. However, criticism arose over the delayed public announcement and initial lack of a complete product recall. 

The crisis caused devastating short-term damage to the industry, with estimated losses exceeding AU$160 million. Many growers were forced to destroy entire harvests, leading to significant job losses. 

The contamination was eventually contained, but the incident exposed major vulnerabilities in fresh produce supply chains and prompted stronger food tampering legislation across the country. 

The perpetrator’s motive appeared to be personal revenge or workplace grievance, with police and industry groups suspecting a disgruntled former employee, although the individual initially charged was never convicted.

External Source: Colonial Pipeline Attack

colonial pipeline
Colonial Pipeline suffered a ransomware cyberattack as a result of a compromised password. Photo from Jim Lo Scalzo/EPA via Shutterstock

A case of external cyber-based malevolence occurred in 2021 when Colonial Pipeline (an American oil pipeline system) suffered a ransomware cyberattack.  

The attackers, a hacking group named DarkSide, sought financial profit.

DarkSide encrypted systems using a compromised password and received a ransom of approximately 75 bitcoins (one bitcoin was worth US$57,000 at the time).  

Colonial Pipeline shut down its entire pipeline network to contain the threat, promptly notified the FBI, paid the ransom to obtain a decryption tool, and worked with cybersecurity experts while relying on its backups for recovery.

Operations resumed five days after the initial shutdown.

In its response to the crisis, the company incurred the ransom payment (much of which the FBI later recovered), recovery costs and investigation costs.

The company faced widespread fuel shortages, panic buying across the US East Coast, reputational criticism for paying the ransom, and congressional scrutiny.

The incident emphasises the high stakes of critical infrastructure vulnerabilities and the need for strong cybersecurity defence.

Internal Source: Cash App Data Breach

cashapp
Personal data held by Cash App was obtained through a data breach. Image from Tada Images via Shutterstock

The 2022 Cash App data breach presents an example of internal malevolence. 

The perpetrator, a terminated employee seeking revenge, downloaded reports containing the personal and financial information for over eight million customers.

The perpetrator still held unauthorised access despite their employment having been terminated.  

He gained limited immediate material benefit; the data lacked highly sensitive details like passwords or Social Security numbers and he appears to have been motivated primarily by personal grudge rather than direct financial gain. 

Block (Cash App’s parent company) discovered the breach months later and disclosed it in an April 2022 SEC filing.

The company notified affected customers and cooperated with law enforcement and a third-party forensics firm. 

Block strengthened its security protocols, improved employee offboarding procedures to immediately revoke access on termination, and took remedial steps to protect user data.

A US$15 million class-action settlement related to the breach and broader compliance issues was paid and the company faced additional multimillion-dollar regulatory penalties tied to security and anti-money laundering failures.

Block harmed user trust and suffered reputational damage from the delayed notification.

Successful Response Patterns

These cases provide valuable insights into what worked well and what did not work so well. 

Defensive or delayed responses tended to worsen damage by eroding public trust and inviting secondary consequences such as litigation, adverse media coverage, loss of market share and financial losses. 

What worked well in these cases was the organisation prioritising consumer safety, being transparent, and implementing timely and effective corrective measures. 

The Cash App data breach demonstrated the importance of rapid containment and notification, cooperation/coordination with authorities, followed by systemic security reforms. 

Strategies to Combat Malevolence

Screenshot 2026-05-04 at 16.44.18
The PPRR Cycle. Image from knowledge.aidr.org.au

Organisations can and should combat malevolence. 

Different strategies are needed for internal threats vs external threats in cases of malevolence. 

Internal: 

  • Focus on an organisational culture built on trust, ethical leadership, sound governance, and transparency. 
  • Develop the ability to detect security breaches and anomalies without creating a dysfunctional workplace (no trust, excessive controls) and hampering service delivery. 

External: 

  • Have a high level of awareness of external vulnerabilities and threats. 
  • Implement programs to mitigate vulnerabilities and threats. 
  • Recognise that these threats change constantly and put methods in place to detect the changes. 

Several strategies can be adopted across the prevention, preparedness, response and recovery cycle: 

Prevention 

Prevention begins with understanding the organisational context and methodically identifying vulnerabilities and threats across all areas of the organisation.

In production, this includes product tampering; in finance, this includes fraud; and in IT, this includes data vulnerabilities and cyber extortion indicators.

It is essential to ensure internal ownership for mitigating these vulnerabilities and that the responsibility for implementing controls is clear.

This can be achieved through a well-designed risk management program that is effectively implemented across the organisation.

Preparedness

In a malevolence crisis, the Crisis Management Team must make sense of a complex situation in a short amount of time to inform response actions. This requires decision-making under pressure. 

Rapid response decision-making skills can be developed through specialised training, underpinned by a quick guide comprising decision-making tools. 

The Crisis Management Plan will also include instructions on forming the crisis team with subject matter experts in legal, security, communications and operations. 

Further preparedness can be built through scenario-based exercises.

Response

Activating the Crisis Management Team and managing communications are the first priorities. 

The CDC’s Crisis and Emergency Risk Communication strategy provides insights into what effective crisis communication looks like.  

It offers six practical principles: be first, be right, be credible, express empathy, promote action, and show respect: 

CERC 6 Principles
The six principles of the CDC’s Crisis + Emergency Risk Communication. Image from cdc.gov

Recovery

In the recovery stage, post-incident reviews help identify gaps and improvements, such as enhanced tamper-proofing, stronger access controls, or upgraded cybersecurity to rebuild the organisation’s credibility.  

In the recovery phase, it is also important to recognise the mental wellbeing of the response team.  

Responders frequently internalise breaches as personal failures. 

This leads to feelings of guilt and self-blame, especially if they feel they “missed” a signal that could have prevented the attack.  

Some responders report symptoms similar to PTSD, including anxiety, intrusive thoughts about future attacks, and sleep deprivation (reported by 85% of responders in one study). 

What about the future?

As old threats remain, new ones emerge.  

AI significantly increases the risk of cyberattacks by enabling attackers to operate at a speed, scale, and level of sophistication that traditional human-led defences struggle to match. 

Recent data indicates that breakout times - the time it takes for an attacker to move laterally after an initial breach - have dropped to under an hour due to AI-driven automation.  

AI dramatically increases the capability of non-trained attackers - often called “script kiddies” - by effectively removing the technical learning curve required to execute high-impact hacks.   

By replacing years of programming study with natural language interaction, AI shifts the barrier from “tool fluency” to simple “conceptual understanding.”  

Organisations should embrace continuous vigilance and develop agile crisis management frameworks that address this evolving threat landscape. 

In doing so, they turn malevolence crises into opportunities to demonstrate operational readiness and resilience.  

This article is part of Phoenix Resilience's Crisis Series.

Join us on Wednesday, 1 July, for our next instalment as we explore Biological Crises and the lessons they hold for crisis leaders and organisations.

© Phoenix Resilience 2026