Extremists, extortionists and opportunists — some of the culprits behind the deliberate contamination of food and drink products. The prospect of malicious tampering within the food and drink supply chain is alarming, but businesses can improve their resilience to such risks. Vicky Powell looks at how organisations can detect specific vulnerabilities in their operations and take steps to mitigate these.

Needles in bread packages, acid in soft drinks

In November 2017, the Food Standards Agency (FSA) and the British Standards Institute (BSI) published new guidance for food businesses on how to improve protections for food and drink supply.

The advice, PAS 96 Guide to Protecting and Defending Food and Drink from Deliberate Attack, documents a surprisingly diverse range of cases of deliberate food contamination, in the UK and elsewhere around the world, as evidenced by the following examples.

  • In 2005, a major British bakery reported that several customers had found glass fragments and sewing needles inside the wrappers of loaves of bread.

  • In 1984, the Rajneeshee sect in Oregon attempted to affect the result of a local election by contaminating food in 10 different salad bars, resulting in 751 people being affected by salmonella food poisoning.

  • In 2013, a major soft drinks supplier was forced to withdraw the product from a key market when it was sent a bottle which had had its contents replaced with mineral acid. The attackers included a note indicating that more would be distributed to the public if the company did not comply with their demands.

  • In 1990, a former police officer was convicted of extortion after contaminating baby food with glass and demanding money from the multinational manufacturer.

  • In 2008, a former tax inspector was jailed in Britain after being convicted of threatening to bomb the supermarket giant Tesco and contaminate its products.

  • In 2014, the Kenya Dairy Board warned that hawkers were putting lives at risk by adding preservatives (formalin and hydrogen peroxide) in a (probably futile) attempt to extend the shelf life of milk.

Inside the minds of culprits

There are all sorts of motivating factors for adulteration of food and drink products, ranging from the financial or commercial to the ideological or simply malicious.

Whatever the case, experts believe that understanding the potential attacker is key to preventing acts of deliberate contamination.

This is because measures to strengthen the resilience of food businesses against attacks are largely based on managers mentally putting themselves in the position of the criminals and then anticipating their motivation, capability and opportunity to carry out attacks, in order to best devise protective strategies. The following profiles describe the motivations of some would-be food contaminators.

  • The extortionist: The extortionist wants to gain financially from an attack but does not want to be caught, and concentrates on avoiding detection. Their target is more likely to be a high-profile business with lots to lose from negative publicity.

  • The opportunist: This individual may hold an influential position within an operation to be able to evade internal controls. They may have some technical knowledge but their main asset is access. The supplier who fills a meat product with pork instead of chicken, rather than risk failure to deliver to the customer, may even persuade themselves that the adulteration is legitimate since both products are meat, for example.

  • The extremist: These attackers take their cause or campaign so seriously that they distort its context and overlook wider issues. The dedication to their cause may have no limits and their determination to progress it can be great. The aim may be to cause harm and gain publicity for their beliefs.

  • The irrational individual: This type of person may have no rational motive for their actions. Some may have clinically diagnosed mental health issues. Their priorities and preoccupations have become distorted so they are unable to take a balanced view of the world.

  • The disgruntled individual: This person believes that an organisation has been unfair to them and seeks revenge. They may be an aggrieved employee or former employee, supplier or customer. Crucially, they may have expert knowledge of the operation and access to it.

  • Cyber criminals and other malicious digital actors: These criminals aim to subvert controls on computerised information and communications systems in order to stop them working effectively. Their motivation may be criminal or even political.

  • The professional criminal: Organised crime may see food fraud as a relatively simple crime, with big gains in prospect, little chance of apprehension, and modest penalties if convicted. The global trade in food in which products move, often with little notice, across borders can encourage professional criminals.

Preventing an attack

The globally accepted standard for safeguarding food and drink products against accidental contamination is the Hazard Analysis Critical Control Point (HACCP) system.

Indeed, the HACCP principles have proven to be effective against accidental contamination, with major outbreaks of food poisoning now unusual in many countries.

However, in the case of the threat of deliberate contamination, a different approach is recommended by food safety authorities, namely Threat Assessment Critical Control Points (TACCP). This is a risk management methodology which aligns with HACCP but has a different focus, and may need input from employees from different disciplines, eg human resources, procurement, security and information technology.

The TACCP approach is outlined in the FSA’s PAS 96 guidance, along with advice for food business managers to guide them through the procedures to improve the resilience of supply chains to fraud or other forms of attack.

Focused on minimising the chance of an attack and mitigating the consequences of a successful attack, the TACCP process suggests a series of steps that can deter an attacker or give early detection of an attack.

Broadly, TACCP places food business managers in the position of an attacker to anticipate their motivation, capability and opportunity to carry out an attack, and then helps them devise protection.

The PAS 96 guidance also provides other sources of information and intelligence that may help identify emerging threats.

The TACCP process assumes and builds on a business’ existing effective operation of HACCP, as many precautions taken to assure the safety of food are likely to also deter or detect deliberate acts. It also complements existing business risk management and incident management processes, with the focus on protecting the integrity and wholesomeness of food and food supply.

Experts warn that any intending attacker, whether from within a food business or its supply chain or external to both, is likely to attempt to elude or avoid routine management processes, which is why the specifically tailored approach of TACCP is recommended.

Responding to an attack

Food protection and defence procedures aim to reduce the risk of an attack but cannot eliminate it, so emergency response and business continuity protocols are essential.

Where contamination is implicit, quarantine and possible withdrawal and recall of product might be expected. In cases involving criminal action, police officers from serious crime units should be involved at the earliest opportunity to avoid any loss of evidence.

However, the best time to learn how to manage a crisis is not in the crisis, so advanced planning and rehearsal of procedures is essential. Useful advice on crisis management systems and contingency planning for recovery from attack can be found respectively in the standards BS 11200:2014 Crisis Management. Guidance and Good Practice and BS EN ISO 22313:2014 Societal Security. Business Continuity Management Systems. Guidance.

Ultimately, no single process can guarantee that the food and food supply is not the target of criminal activity. However, effective planning and the use of appropriate risk management strategies can make such attacks less likely, creating more resilient food and drink businesses which are far less attractive or easy targets.

Last reviewed 17 January 2018