What a $400,000 lobster theft teaches us about cyber risk

In our last column we talked about a strategic cyber threat positioning for future leverage. In this, we look at a different, very alarming issue suppliers, transporters, and operators are currently dealing with, and which commands losses in multi-millions, if not billions, of dollars, pounds, and euros: cyber-enabled cargo theft.

When we think of cargo theft, we usually imagine masked men in the dark of night swooping in, pilfering trucks unnoticed, and vanishing. At the end of last year, the theft of around $400,000-worth of live lobsters in the US, bound for midwestern Costco stores, highlighted something new: the increased use of digital methods.

With the help of spoof emails (nearly identical to the real company’s domain) the thieves impersonated the carrier, provided fake paperwork and even a fraudulent driver’s licence, turned off GPS tracking, and the lobsters were gone.

A closer look tells us that, while lobsters make for a catchy headline and funny memes (“a lost claws”, “langostino bros”), cargo theft has silently skyrocketed over the past five years and developed into literally a global menace, commanding north of $750m in losses across North America last year, according to CargoNet. The full impact, which factors-in other costs, for recovery and operational disruption among other things, however, is estimated closer to $6bn to $7bn (ATRI).

In Europe, we find a similar breakdown, where losses are around €450m annually in tracked losses, according to TAPA EMEA, while industry estimates, that go beyond strictly verified and reported cases, suggest the true scale is closer to €8bn a year. In Asia, where comprehensive figures are less standardised, numbers are estimated in a similar range: $2.4bn in recorded losses and $6bn-$10bn overall estimated, annually. The higher number is mainly a function of Asia encompassing a larger number of countries. The overall trend in every region points upwards.

Cargo theft has also evolved into a more complex and technologically driven threat, marking its entry into the cyber era. It is estimated that about a third of all cargo theft is now cyber-enabled. The main driver of this structural shift has been the now ubiquitous IT/OT convergence (physical processes are controlled by IT), and reliance on cloud-based transport management systems and electronic documentation in the logistics world. The rise of online freight marketplaces has also made it easy to pose as trusted carriers without solid authentication protocols. Paired with often poor cyber security (like passwords being reused, recycled, shared widely, and no multi-factor authentication), and a general lack of threat awareness in the sector, and you have a recipe for disaster – or at least very costly losses.

Anatomy of a crime

Our lobster example illustrates a very simple “fictitious pick up” scenario. The other, far more prolific, type is more strategic and more closely resembles traditional cybercrime. The attack begins with the hallmark of any good cyber criminal heist – the trusty phishing email. And once the culprits have gained access, they can compromise a company’s systems via stolen credentials (or if more sophisticated, using remote access tools) and can do a number of things, from retrieving sensitive data to impersonating the carrier or changing shipment information data (book loads and dispatch fraudulent trucks, etc). For example a threat actor might compromise a broker load account, post a fake load, and bag the gains without ever bothering with the nuisance of handling the physical product.

Among the prime targets for theft are easily resold items, like electronics, food, pharmaceuticals, and consumer goods, very often of high-value. The gained access and systems compromise is often used to identify what cargo to capture in the first place by selectively targeting high-value loads with precise timing and routing information.

The resulting losses are often shouldered by cargo owners, freight brokers, third-party logistics providers (3PLs), and trucking companies, often involving lengthy legal disputes over liability with insurance companies.  While insurance often covers cargo theft for “goods in transit” or “motor truck cargo” – the terminology typically governing coverage for shipments – it might deny claims based on handover to non-legitimate carriers.

What to do?

Transportation has long been a high-volume, high-velocity business, with many players paying little to no attention to cyber protection of its IT systems, often practising poor cyber security hygiene. This makes them a ripe target for exploitation by highly organised criminal groups, which will only accelerate further in the coming years.

The legal implications, losses, and other costs associated with this – including reputational ones – are far from negligible. Thankfully, there are several steps that can be taken to mitigate their risk. We will investigate these in our next column.

Maschenka Kemmsies is a policy analyst who specialises in geopolitics, emerging technologies, and cyber security. Previous roles include senior threat communications manager for security vendor Trend Micro and deputy head of political affairs at the Embassy of Austria to the United States.

Widely viewed as one of the foremost experts on ports, rail, and infrastructure in the US, Walter Kemmsies advises several major port authorities and is routinely asked to work on complex issues with various investment banks, private equity firms, and public regulatory agencies, Dr Kemmseis was chief port strategist for JLL and chief economist for Moffatt & Nichol, while other previous roles include head of European strategy at JP Morgan in London, and head of global industry strategy at UBS in Zurich.