Los Angeles rail hijackings – a form of cargo theft

What is going on?

Recently, there has been substantial coverage of the hijacking of goods trains by thieves on Los Angeles (LA) goods lines (McFarland & Mossburg 2022). Images of damaged or discarded shipments from distributors to consumers (end users) strewn across the train tracks are common, as are photos of railway police trying to apprehend individuals and small groups running along the tracks.

Photo by Daniel Semenov on Pexels.com

Reportedly, these criminals either force entry to stationary or slow-moving goods trains, ransacking any items which appear to be of value. Since they have been doing this for a while now, one must presume they have learned what more expensive packages look like (e.g. branded shipping boxes, specific logos) and are likely selected over lower value items (see my previous article here). Additionally, media reporting also stated that larger, harder to move goods are discarded on the train tracks over smaller items easily transported by a single human trying to flee the scene quickly. This activity is a form of Cargo Theft.

What is cargo theft?

The prevention of cargo theft is a core pillar of any supply chain security program, ensuring goods are not stolen in transit either from the factor to a distributor (for larger or bulk shipments), or distribution centre to end user (as appears to be seen in this example).

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

How does cargo theft impact brand integrity?

When cargo theft occurs in bulk, there is a real risk the diverted product is moved into grey markets (gray markets)  or alternately that stolen product is infiltrated into legitimate supply chains, and then on-sold to end users (see Sugden 2009). An example of the scenario that occurs here is where an authorised distributor is approached by a purported ‘wholesaler’ to purchase legitimate (non-counterfeit) stock at a discount to prices set by the manufacturer or standard wholesale prices.

In this scenario, distributors may knowingly or unknowingly purchase stolen but non-counterfeit product and then sell this to end users, with three potential business impacts:

  • The manufacturer is disadvantaged through erosion of their profit margins,
  • A ‘legitimate market’ is created for the stolen goods through poor purchasing controls by the distributor, and,
  • Potential future revenue leakage and brand damage to the manufacturer through services and warranty fraud, if a customer who purchased the non-counterfeit good from an authorised distributor makes a claim.
Photo by Quintin Gellar on Pexels.com

Cargo Theft Typologies

According to the latest BSI Survey on Supply Chain Risks (2020), there are four primary cargo theft typologies (note the report does not define each typology, I have added my own definitions here)

  1. Hijacking – where the vehicle (truck, train, plane, ship) carrying the goods is stopped and control is taken of the entire vehicle. Typically, vehicles are typically taken to a third location controlled by the hijackers for unloading and disposal. Hijackers may be working in collusion with trusted insiders (e.g. drivers or warehouse staff).
  2. Theft from a vehicle – whereas hijacking involves the whole vehicle, this typology involves stealing selected goods from the vehicle (e.g. specific boxes), and is what we see in the LAX examples.
  3. ‘Slash and grab’ – when cargo is transported in soft skinned trucks, the vinyl or canvas covers can be slashed and any items to hand quickly stolen.
  4. Other – undefined typologies, presumably including theft by employees or third parties as well as fraud (e.g. claims of shipments being damaged as cover for theft).

According to BSI, cargo theft primarily occurs in six geographical locations:

  • In-transit – whilst the vehicle is moving (e.g. slowed due to traffic congestion, stopped at traffic lights or an accident)
  • Rest areas – trucks carrying high value cargo without two drivers are at risk when the driver stops for a break or sleep
  • Warehouse – there are at least two risks here:
    • Theft from warehouse by criminals (e.g. breaking & entering) with no insider involvement
    • Inventory theft or fraud by trusted insiders (e.g. employees)
  • Unsecure roadside parking – where a loaded vehicle is parked either at the point of origin or destination
  • Freight facility – where multiple trucks / trains are unloaded in a single location
  • Other locations – these are not defined

How do the proceeds of cargo thefts end up in grey markets?

We sometimes see high value goods, such as stolen motor vehicles, being exported from the jurisdiction where the theft occurred (e.g. the USA) to an overseas jurisdiction where the product is in high demand and where criminals can obtain substantial profit margin on the sale of the stolen goods.

It might also be common to see sales of consumer products being sold online (either individually or in bulk) by either a business or individual seller or sold to authorised or unauthorised distributors [an ‘authorised distributor’ is defined as one which has a signed distribution agreement with the manufacturer or Intellectual Property Rights (IPR) owner and is conducting their business operations in the geographic area(s) stated in the agreement].

In the case of the LA activity, the stolen goods seem to be packages shipped from distributors which are stolen before delivery to the consumer (end user), rather than bulk shipments (e.g. multiple copies of the same product). These stolen goods can also be sold online, in person through social networks or street corners, or local flea markets.

Photo by Mark Dalton on Pexels.com

What can be done to help mitigate this type of cargo theft?

There are three main strategies that can be employed to mitigate the types of risks seen in Los Angeles, as follows:

  • Physical Security (including use of tamper evident seals) – appropriate (i.e. risk-based) physical security should be part of any Supply Chain Security program. This may be the responsibility of the logistics provider (i.e. a third party) or the manufacturer. Most shipments are covered by insurance against theft or damage, but this may be subject to exclusions.
  • Market Surveillance – a robust market surveillance program is essential for the protection of your products, IPRs and ongoing brand integrity. This involves using Open Source Intelligence (OSINT) techniques to monitor physical and online markets (e.g. flea markets, online market places like eBay and Gumtree) as well as social media for sales of your products, monitoring pricing (pricing surveillance), conducting test purchases (to determine the origin of the product for diversion and grey market purposes), and identification of sellers to determine whether they are authorised or unauthorised.
    • This data should be added to a Graph database to facilitate Social Network Analysis and other intelligence analysis and investigative methods which might help to identify the criminal value chain and map organised crime groups involved in this activity.
  • Collection and analysis of incident data – in my previous post on product fraud and security risk assessments, I discussed the importance of capturing current and historical incident data for analysis. The sorts of questions you need to ask of your data here includes whether there are any common themes or trends and whether any specific products are at higher risk than others (e.g. those which are more valuable or CRAVED by thieves).


Whilst cargo theft is a risk, there are controls and other measures which can be implemented to mitigate it. Proper planning is essential, as is the use of security risk analysis to identify where effort (and budget) should be allocated, and the use of intelligence methods to continuously monitor the market and those actors (individuals, legal entities) involved in it. Ideally, any incidents are either prevented, detected or disrupted before a loss is incurred, but in some cases formal investigation may be required.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Building a media monitoring capability 101

Author: Paul Curwell

Media Monitoring as part of a wider externally-focused risk intelligence capability

Businesses cannot operate effectively without an external listening capability that helps identify current and emerging issues in the operating environment. Competitors, regulatory change, technological innovation, and important developments involving suppliers and key customers have historically been ‘followed’ by businesses everywhere. However, with the rising importance of reputation risk and regulatory compliance, topics such as economic & trade sanctions, corruption, fraud, privacy & security incidents, business interruptions, modern slavery and environmental issues are also being increasingly watched, especially where suppliers or contractors pose a risk ‘by association’ to the buyer.

Our 24/7 news cycle and the global pace of change means it is no longer viable to read the newspaper once a day or occasionally Google a competitor every few months in your spare time to identify changes in your operating environment – media monitoring today needs to be a core part of your risk intelligence capability, employed on a systematic, continuous basis and integrated into other business processes to add value.

Conceptually, media monitoring seems relatively straightforward, but it follows the iceberg principle with most of the challenges laying beneath the surface. Many organisations struggle with media monitoring when they need to operate across large volumes of search criteria, countries, languages and mediums. Practically speaking, there are also differences between monitoring traditional print, TV and radio channels and social media: This post focuses on traditional channels, whilst social media will be addressed in a future article. The article outlines the key considerations when designing a media monitoring capability, the challenges, what to focus on, and what to do with what you’ve found.

Selecting sources and monitoring tools

The majority of media monitoring programs are run in an ad-hoc manner, without any real understanding of the sources or content of interest. The sophistication of these programs range from performing ad-hoc searches in the internet browser, to using tools such as Google Alerts and data aggregators. Typically, businesses focus on print media to the exclusion of TV and Radio, despite both having interesting and relevant content (take for example, an executive from a competitor being interviewed on the business channel).

The first step in selecting sources involves thinking about what, and who, you want to monitor, and where the content would be published. This ‘where’ is a function of both geography but also industry, as some of the richest coverage might be featured on niche industry platforms. Media monitoring typically focuses either on people or entities, both of which involve name-based searches (e.g. ‘Apple’ or ‘Tim Cook’). Where large numbers of search results are returned, it is normal to use boolean operators to write queries which search for the individual or entity’s name in conjunction with other search criteria, such as ‘strategy’ or ‘fraud’. This process can get quite complex, involving potentially dozens of words of interest (or derivatives of them, such as ‘Crim*’ to search for ‘criminal’, ‘crime’, etc in the same search) in addition to the entity name (i.e. “[name]” and “crim*”).

Media Monitoring Challenges

Licensing and Copyright – news information is subject to copyright, and many IP Rights Owners require their content to be licensed. These costs, and any licensing constraints (e.g. forwarding of a complete article is prohibited without an enterprise license) will require some thought around how any capability is designed, as well as impacting budget.

Syndication – increasingly common globally, syndication has the effect of increasing the volume of search results. Platforms such as Factiva have in-built tools to remove duplicates, however manual processes (e.g. Google Alerts) may take additional time to process

Reliability of free tools – free media monitoring tools use a variety of technologies to identify and index content, which can impact reliability. Unlike platform providers, they typically require closer scrutiny to ensure they are performing as intended.

Press Freedom and ‘Right to Forget’ laws – the reliability and coverage of the mainstream media is increasingly being influenced by attacks, government constraints on journalists, and corruption. In other jurisdictions, ‘Right to Forget’ laws mean the subjects of adverse coverage can have articles such as coverage of convictions or imprisonment deleted, impacting historical search results.

Where large volumes of search queries are required and where budgets allow, news aggregators such as Factiva and ProQuest, as well as other specialised industry journals, represent an excellent option provided they have coverage of the content you are seeking. Once you have identified your sources, you should check to see where their content is published as some publications are not covered by aggregators or news syndication services.

As with print media, television and radio content is also searchable via specialised aggregators. Typically these providers will index the content (i.e. note keywords and other search terms), to enable a word-based search to be performed via their portals. Once results are returned, they can then be screened for relevant content. Two examples of television indexes include BBC Monitoring and InformIT TV News.

Case Management: Reviewing, storing and evaluating matches

Media articles or other search results are typically recorded in some sort of ‘case management system’, which can be anything from a register kept in Microsoft Excel to a database or workflow system such as ServiceNow. There are a few steps in this stage of the process, including:

  • Reviewing each returned search result to determine whether it meets your criteria for retention (i.e. is it relevant, timely and actionable in relation to the question you are seeking to answer and is this new information, or is it a duplicate?)
  • Documenting selected fields / information from the article in your case management system – such as names or addresses of parties mentioned
  • Copying details of names, addresses, relationships, events or other reporting which could affect your relationships with key customers, suppliers or employees into a separate database (this is particularly important for fraud prevention and legal disputes)

This raises the question of who is performing the media monitoring, and how well they understand the intended recipients (i.e. their readers or internal ‘customers’). All too often media monitoring is performed by a central team, with consumers in the business being forwarded copies of news articles they have already read or receiving lots of emails that go unopened. Whether the function is performed centrally or by business line, the most important thing is that information is converted to intelligence so it is actually useful.

Whilst media monitoring can be started with the best of intentions, it quickly becomes a waste of time and effort if the generated content is not relevant and actionable to the recipient (i.e. can they actually do something useful with it) and timely (telling them an event has occurred 3 months after they’ve known about it is useless), if the content is not properly curated and searchable as volumes increase, and if the team performing the role becomes seen as a sender of spam.

Actioning what you’ve found

Once you have identified what’s important, the next step is to do something with it. By this stage of your process, you should be left with a number of articles that contain content of interest. In my experience, this is the stage where many media monitoring processes begin to fall apart.

Case Study:

A large bank had implemented a robust media monitoring process to track strategic developments involving competitors and the market. They were actively monitoring multiple channels, saving articles of interest to PDF from print media sources, and uploading them to a Document Library on their intranet (SharePoint). Over time they had thousands of articles containing rich information but it was never extracted and developed into intelligence. To make use of their collection, they had to individually review each search result rather than being able to see what all search results meant in the wider context. In time, it became quicker for users to simply use Google and the whole effort became a complete waste of time.

Media monitoring is only the first capability building block in an external listening process, and if your process relies upon emails or file libraries in a shared folder or on SharePoint once you hit a certain number of files you will start to encounter data challenges that affect our ability to extract any real value from your media monitoring. To avoid this situation, I recommend you add two steps to the end of your media monitoring process:

Dealing with information about people, events, places and things

Articles with content such as names, incidents, relationships, events and places need to have this information extracted into a structured format (ideally a database but CSV format will also suffice), with the original article attached. Whilst you can use document tags instead of structured content, it is not as effective (1) because you will still need to extract the data into a structured format to properly analyse it, and (2) over time libraries of tags will become unmanageable and you may encounter system limitations. To keep pace with volumes, I find this information most efficiently captured as the article is reviewed, rather than letting everything pile up.

These sort of articles typically relate to issues such as a key customer or supplier’s financial solvency, highlight relationships between employees and a supplier or customer (i.e. conflicts of interest or fraud risks), and legal disputes which might disrupt the supply chain. Consequently, the typical audience for this information will be finance / procurement, legal, audit, risk and compliance.

Articles of a strategic nature

In contrast to information about people, places and things, information of a strategic nature (e.g. articles on regulatory change, interviews given by a competitor on their new product) should be compiled into a separate document or ‘wiki’. Environmental Scanning is a common technique used in the strategic analysis and intelligence communities and is ideal for compiling and analysing this type of content, and will be covered in a future post.

The key difference between strategic information and that of people, places and things is the way it is used – it is mainly employed by strategy teams, product managers, or in other planning activities rather than more operational tasks, hence it needs to be reviewed less frequently. Strategic information is typically reviewed in the context of other strategic information or when making specific decisions.

Optimising your capability

The last step in developing any capability is to periodically evaluate its performance. For a media monitoring capability, this means running separate searches to ensure you haven’t missed anything with current search criteria (have you had consumers in the business ask about something you didn’t pick up?), ensuring that sources are reliable and credible and that search parameters are current, and that your downstream processes in terms of storing, evaluating and reporting remain valid.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.