Los Angeles rail hijackings – a form of cargo theft

What is going on?

Recently, there has been substantial coverage of the hijacking of goods trains by thieves on Los Angeles (LA) goods lines (McFarland & Mossburg 2022). Images of damaged or discarded shipments from distributors to consumers (end users) strewn across the train tracks are common, as are photos of railway police trying to apprehend individuals and small groups running along the tracks.

Photo by Daniel Semenov on Pexels.com

Reportedly, these criminals either force entry to stationary or slow-moving goods trains, ransacking any items which appear to be of value. Since they have been doing this for a while now, one must presume they have learned what more expensive packages look like (e.g. branded shipping boxes, specific logos) and are likely selected over lower value items (see my previous article here). Additionally, media reporting also stated that larger, harder to move goods are discarded on the train tracks over smaller items easily transported by a single human trying to flee the scene quickly. This activity is a form of Cargo Theft.

What is cargo theft?

The prevention of cargo theft is a core pillar of any supply chain security program, ensuring goods are not stolen in transit either from the factor to a distributor (for larger or bulk shipments), or distribution centre to end user (as appears to be seen in this example).

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

How does cargo theft impact brand integrity?

When cargo theft occurs in bulk, there is a real risk the diverted product is moved into grey markets (gray markets)  or alternately that stolen product is infiltrated into legitimate supply chains, and then on-sold to end users (see Sugden 2009). An example of the scenario that occurs here is where an authorised distributor is approached by a purported ‘wholesaler’ to purchase legitimate (non-counterfeit) stock at a discount to prices set by the manufacturer or standard wholesale prices.

In this scenario, distributors may knowingly or unknowingly purchase stolen but non-counterfeit product and then sell this to end users, with three potential business impacts:

  • The manufacturer is disadvantaged through erosion of their profit margins,
  • A ‘legitimate market’ is created for the stolen goods through poor purchasing controls by the distributor, and,
  • Potential future revenue leakage and brand damage to the manufacturer through services and warranty fraud, if a customer who purchased the non-counterfeit good from an authorised distributor makes a claim.
Photo by Quintin Gellar on Pexels.com

Cargo Theft Typologies

According to the latest BSI Survey on Supply Chain Risks (2020), there are four primary cargo theft typologies (note the report does not define each typology, I have added my own definitions here)

  1. Hijacking – where the vehicle (truck, train, plane, ship) carrying the goods is stopped and control is taken of the entire vehicle. Typically, vehicles are typically taken to a third location controlled by the hijackers for unloading and disposal. Hijackers may be working in collusion with trusted insiders (e.g. drivers or warehouse staff).
  2. Theft from a vehicle – whereas hijacking involves the whole vehicle, this typology involves stealing selected goods from the vehicle (e.g. specific boxes), and is what we see in the LAX examples.
  3. ‘Slash and grab’ – when cargo is transported in soft skinned trucks, the vinyl or canvas covers can be slashed and any items to hand quickly stolen.
  4. Other – undefined typologies, presumably including theft by employees or third parties as well as fraud (e.g. claims of shipments being damaged as cover for theft).

According to BSI, cargo theft primarily occurs in six geographical locations:

  • In-transit – whilst the vehicle is moving (e.g. slowed due to traffic congestion, stopped at traffic lights or an accident)
  • Rest areas – trucks carrying high value cargo without two drivers are at risk when the driver stops for a break or sleep
  • Warehouse – there are at least two risks here:
    • Theft from warehouse by criminals (e.g. breaking & entering) with no insider involvement
    • Inventory theft or fraud by trusted insiders (e.g. employees)
  • Unsecure roadside parking – where a loaded vehicle is parked either at the point of origin or destination
  • Freight facility – where multiple trucks / trains are unloaded in a single location
  • Other locations – these are not defined

How do the proceeds of cargo thefts end up in grey markets?

We sometimes see high value goods, such as stolen motor vehicles, being exported from the jurisdiction where the theft occurred (e.g. the USA) to an overseas jurisdiction where the product is in high demand and where criminals can obtain substantial profit margin on the sale of the stolen goods.

It might also be common to see sales of consumer products being sold online (either individually or in bulk) by either a business or individual seller or sold to authorised or unauthorised distributors [an ‘authorised distributor’ is defined as one which has a signed distribution agreement with the manufacturer or Intellectual Property Rights (IPR) owner and is conducting their business operations in the geographic area(s) stated in the agreement].

In the case of the LA activity, the stolen goods seem to be packages shipped from distributors which are stolen before delivery to the consumer (end user), rather than bulk shipments (e.g. multiple copies of the same product). These stolen goods can also be sold online, in person through social networks or street corners, or local flea markets.

Photo by Mark Dalton on Pexels.com

What can be done to help mitigate this type of cargo theft?

There are three main strategies that can be employed to mitigate the types of risks seen in Los Angeles, as follows:

  • Physical Security (including use of tamper evident seals) – appropriate (i.e. risk-based) physical security should be part of any Supply Chain Security program. This may be the responsibility of the logistics provider (i.e. a third party) or the manufacturer. Most shipments are covered by insurance against theft or damage, but this may be subject to exclusions.
  • Market Surveillance – a robust market surveillance program is essential for the protection of your products, IPRs and ongoing brand integrity. This involves using Open Source Intelligence (OSINT) techniques to monitor physical and online markets (e.g. flea markets, online market places like eBay and Gumtree) as well as social media for sales of your products, monitoring pricing (pricing surveillance), conducting test purchases (to determine the origin of the product for diversion and grey market purposes), and identification of sellers to determine whether they are authorised or unauthorised.
    • This data should be added to a Graph database to facilitate Social Network Analysis and other intelligence analysis and investigative methods which might help to identify the criminal value chain and map organised crime groups involved in this activity.
  • Collection and analysis of incident data – in my previous post on product fraud and security risk assessments, I discussed the importance of capturing current and historical incident data for analysis. The sorts of questions you need to ask of your data here includes whether there are any common themes or trends and whether any specific products are at higher risk than others (e.g. those which are more valuable or CRAVED by thieves).


Whilst cargo theft is a risk, there are controls and other measures which can be implemented to mitigate it. Proper planning is essential, as is the use of security risk analysis to identify where effort (and budget) should be allocated, and the use of intelligence methods to continuously monitor the market and those actors (individuals, legal entities) involved in it. Ideally, any incidents are either prevented, detected or disrupted before a loss is incurred, but in some cases formal investigation may be required.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

When values collide: employee / employer values conflicts as a source of insider threat

Author: Paul Curwell


Within any organisation, it is typical to find employees with a diverse range of views on all manner of political and social issues. The rise of social media has made it easier for us to share our views, both inside and outside of the workplace, creating potential for employees to post material or views which may conflict with their employer’s policies, contract of employment, or even their fiduciary duties as an employee. Additionally, we are in an era of increasing global consciousness around big-ticket items, such as climate change, corruption and personal freedoms (e.g. Arab Spring) and social / economic equality (e.g. Occupy Wall Street) which are serving to rally people to behind a cause.

low angle photograph of the parthenon during daytime
Photo by Pixabay on Pexels.com

Importantly, there is nothing wrong with each of us having these views and sharing them appropriately, such as in public debate. However, in my view it is inevitable that at some point, conflict will arise between the employee and their employer unless they are broadly aligned in terms of views and values. As an individual and as a people leader, I have always maintained it is essential that employees be able to identify with the values and mission of their employer, otherwise employee engagement and satisfaction will decline.

Values can also change over time, and it may be that the values alignment which existed upon commencement of employment is not there some years later. Increasingly in Australia, we are seeing cases where employees or contractors disagree with fundamental positions of their employer, and are proactively doing something about it which is in breach of their legal obligations to their employer. This activity constitutes an ‘insider threat’ which needs to be managed carefully.

So sort of issues are we referring to here?

The landscape of these causes is continually evolving as society evolves. Historically, those causes with a tendency to commit crimes (sometimes serious crimes such as murder) in the name of what they feel is important have been referred to as “issue motivated groups” (IMGs), however I note this term is no longer mentioned in recent annual reports or in the ASIO Act. In 2011, then Director General of Security, Mr. David Irvine AO, defined it as follows in response to a question posed within the Australian Parliament:

“Issue motivated groups is a term we use within ASIO to describe those groups who conduct activities that might lead to violence or to activities that are prejudicial to security”

Mr David Irvine AO, 18 October 2011. See below for full citation.

Every single human is an individual, and we all express a diversity of views which makes our global society what it is today. There is nothing wrong with each of us having our own views, but it gets complicated in terms of insider threats when (1) our views put us in direct conflict with those of our employer, or (2) we start to use violence or extreme violence (e.g. methods commonly associated with terrorist acts) to promote our causes. This form of insider threat is particularly pernicious given the potential ways an insider threat can manifest, including:

  • Workplace sabotage – either to data, systems, physical assets, or reputation, with the aim of having the organisation stop doing something or to draw public attention to it
  • Information leaks / unauthorised disclosure – including providing information on business activities, staff movements, senior staff personal details (e.g. home addresses), or security measures which would make the organisation more vulnerable to attack
  • Espionage-like activities – where the employee is effectively a mole or plant willing to act on the instruction of an external party. This includes the intentional infiltration of highly motivated threat actors into an organisation through the recruitment process or supply chain
  • Soft issues’ – such as ‘go slows’ (e.g. in-action) in the workplace which effectively means the employer is hindered in achieving its objectives by its workforce
people rallying carrying on strike signage
Photo by Martin Lopez on Pexels.com

This challenge is not limited to employers and their contractors, it is also pervasive throughout the supply chain which substantially increases their vulnerabilities, as illustrated by this quote:

Ben Pennings from Galilee Blockade said they now had almost “too much information” from insiders after their “dob in a contractor” campaign.

Robertson, J. (2019). Adani mining insider reveals she is leaking material to environmental activists, ABC News. See below for full citation.

Often, contracting organisations (employers) limit the scope of their involvement or oversight in their suppliers security to a few lines in a contract, stating the supplier should have a security or risk management program. Mature organisations will prescribe security standards for their suppliers, and even more mature organisations will audit this compliance through standard vendor auditing programs.

So what types of causes have historically attracted this type of focus?

The spectrum of causes and issues which can result in insider threats of this nature are broad and constantly evolving. Examples of some of these issues include:

  • Environmental protection and climate change
  • ‘Right to life’ movements
  • ‘Occupy Wall’ Street
  • Social equality movements
  • Animal rights and animal testing
  • Fossil fuels

To reiterate once again before a reader shoots me down, there is nothing wrong with exercising your democratic rights to freedom of speech and peaceful protest. This does become an issue, however, when violence or other criminal acts are involved, including within the workplace. Typically these sorts of issues can be plotted on a spectrum, and an employee may move from left to right (and back again) on this spectrum over time as their views and the actions of their employer evolve. My interpretation of this spectrum is illustrated below:

Created by Paul Curwell (2021), copyright.

Organisations which are involved in socially or politically contentious policies or activities will almost certainly know this, but it is common to find these considerations not incorporated into a threat or risk assessment. Even rarer is consideration of these matters within contracts with vendors and supply chain risk.

Any work performed in this area should have oversight from a diverse management committee and not be driven by a security function alone. Whilst a security team might have the best of intentions and undertake work in this area that is fair and balanced, perceptions of those not involved in the process may be different which could undermine the outcome and ultimately have a detrimental effect on employee satisfaction and performance more broadly.

What can organisations do to manage this issue?

Firstly, its important that employers have clear policies and guidance available for staff (and suppliers) on these matters, and that they are regularly communicated and fairly enforced. To maximise employee support, transparency and employee consultation for any new policies are critical. These principles are standard for any workplace policy. Policies should extend to conflicts of interest (actual and perceived) for employees, particularly those who are active outside of work in forums or associations where they are exercising their democratic rights. These employees, in particular, need clear guidance and management support to ensure they do not unintentionally stray into the orange zone of the spectrum (see above). It is also important that employers develop and clearly communicate a policy and framework for how any workplace incidents will be managed.

Secondly, employers need to have a clear understanding of the risks including:

  • Assets (information, people, systems, facilities, products, reputation) that need protecting
  • What the risks actually are and how they may manifest
  • The likelihood of them manifesting, which will change over time and therefore require regular oversight
  • The coverage of internal controls and the effectiveness of these controls (i.e. are there gaps and do these gaps create unacceptable vulnerabilities)
  • Are there any teams / unique positions that are more at-risk than others? For example, someone with strong views but who is not in a position to do harm in the workplace may need to be managed differently to someone with strong views who is in a position to do harm
two women in front of dry erase board
Photo by Christina Morillo on Pexels.com

Third, insider threat management starts before the employment contract is signed and continues after an employee or contractor has left the organisation until the potential for harm can be satisfactorily reduced. This means:

  • You need to consider this risk when designing your Employment Screening / Employee Due Diligence program.
  • Employee Screening should be undertaken before a contract of employment is issued, periodically during employment (e.g. annually), in response to a workplace incident or other trigger (i.e. by exception), and upon termination of employment (to understand what, if any, risks the recently departed employee may post).
  • Don’t forget suppliers, vendors and contractors pose similar risks (potentially more if they have access to critical assets / processes and no oversight). This requires consideration starting with vendor selection through to contracting, operations, and termination of a supplier contract.
  • Insider Threat Detection programs need to be designed to focus on critical assets and the organisation’s highest risks. Not all parts of an organisation may require the same control coverage or risk mitigation.
  • Independence may be critical to ensuring employee support on key initiatives such as ongoing due diligence. You may need to use an independent, objective third party to perform your due diligence to ensure only those findings involving employees which are material to any threat assessment make it onto an employer’s records.
  • Employers should ensure they, and any service providers, comply with the Privacy Act 1988 (Cth) and its Permitted General Situations (Chapter C) when performing this work.

Lastly, ensure your Insider Threat Program incorporates views from a diverse range of stakeholders. The need for this diversity highlights the importance of having an Insider Threat Management Committee made up of representatives from different functional areas, including the business and center functions such as HR, legal, IT and security, rather than actions being driven by security or fraud functions alone.

Further Reading

DISCLAIMER: All information presented on @ForewarnedBlog is intended for general information purposes only. The content of @ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon @ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.