Going postal – when terrorists use mail systems to target organisations

By Vincent Deery, CEO, 3DX-Ray Ltd.

In February 2021, three parcel bombs were sent to three different food and drink companies in Germany. The first package was discovered at Munich airport.

The second parcel bomb was sent to a beverage manufacturer and detonated when one of the employees opened it, causing a small explosion but no injury. And the third package injured three people when it detonated at the Lidl supermarket headquarters.

What seems fairly obvious is that the first package was picked up at the airport mail distribution centre, either by the use of mail screening technology, as you would expect in a mail distribution centre or by vigilant well-trained staff.

But what is equally obvious is that the two other bombs that detonated at the corporate headquarters were not detected either by technology or by vigilant well-trained staff.

These are not the only examples of the use of mail bombs as terror weapons in recent years.

In 2018 in the US, a series of mail bombs were sent to prominent critics of the former Donald Trump administration. The first bomb discovered was delivered to billionaire financier and activist George Soros. Subsequent devices were sent to political figures, including former President Barack Obama; former President Bill Clinton and his wife, Hilary, a former Secretary of State and US Congresswoman Maxine Waters. Other targets included the former Attorney General Eric Holder and then former Vice President, now President Joe Biden. And even the actor Robert De Niro received one.

But most companies will never be victims of a terrorist attack and understandably do not want to turn their corporate headquarters into a fortress and spend large sums on security measures that they may never need.

But good security, like insurance, should be treated as a necessary, not an unnecessary expense. The damage that a terror attack could cause in terms of loss of life, injury, disruption of business and reputation damage, can far outweigh the cost of reasonable security measures, built into the everyday running of a business.

Then of course, there is the ‘Duty of Care’ that all employers have towards employees. This means that employers have a legal obligation to take all reasonable measures to ensure the health, safety and well-being of the employees and visitors in their care.

The Duty of Care Risk Analysis Standard (DoCRA) provides principles and practices for evaluating risk.

It considers all parties that could be affected by those risks. DoCRA evaluates safeguards if they are appropriate in protecting others from harm while presenting a reasonable burden by defining what is reasonable risk. It helps establish reasonable security based on an organisation’s specific mission, objective, and obligations.”

Quite apart from the legal and moral imperative, there is a good business case for reasonable security measures.

AXISTM-CXi Screening System.

For most businesses, their staff are their most valuable assets. People that feel properly valued and cared for, are far more likely to be motivated and retained. And from a purely financial perspective, it can also mean that expensive litigation can be avoided.

In the future, courts may decide what constitutes ‘reasonable measures‘, but it could be argued, that all companies should be taking the risk of a terrorist attack seriously, at all times, but especially in times of heightened threat. It is true, that in the UK, the threat level, set by the Joint Terrorism Analysis Centre and the Security Service (MI5) is currently set at ‘substantial’ which means that JTAC and MI5 believe ‘an attack is likely’.

Clearly, threat levels vary from country to country but given the current situation in Germany and the UK at least, no company could argue in court that they did not know that ‘an attack is likely,’ and, therefore, should have implemented reasonable security measures.

So, what are reasonable security measures?

Well, I think we can all agree that there are some measures that are inexpensive, practical, and therefore perfectly reasonable, regardless of the size of the organisation. Firstly, developing a security plan based on a sound risk assessment and establishing appropriate staff training. And then there are some obvious technologies we can use, such as security and fire alarms, indoor and outdoor CCTV, some sort of access control system and an identity system for both employees and visitors. None of this is especially controversial.

After that, it becomes more problematic to decide what is necessary and reasonable. A lot will depend on the size of the company, the nature of their business and the local threat assessment.

For instance, some companies may face a higher risk, like the medical research laboratories in the north of England, who were sent nail bombs in the post by animal rights activists in 2001, which left one woman with serious eye injuries, a farmer with facial injuries and a six-year-old girl with a wounded leg.

AXISTM-CXi Screening System in use.

But what is the next step up in terms of reasonable security technology?

This is where I make the argument that X-ray technology should be considered as part of any corporate security tool kit.

This is not to suggest that every corporate headquarters should have large airport style baggage screening X-ray machines in their foyers. That would not be reasonable.

But the right modern mobile x-ray technology can be a real game changer, or to use military parlance ‘a force multiplier,’ giving the security director or facilities manager access to high grade security technology, where they want it, when they want it, and at reasonable cost.

Most big corporations will be familiar with postal x-ray scanners, but most of those currently in operation are what you could call, first-generation technology. That is, they can only scan in grey scale, are small, and able to manage regular post and small packages only.

X-ray technology has moved on a good deal since these systems were first widely adopted in corporate mail rooms. Most airport scanners now use colour differentiated scans, which make it possible to determine not just the shape but, the nature of the materials being scanned. So, orange shows organics, such as – explosives, chemicals, and drugs, as well as more innocent items such as foodstuffs. Blue shows metals, such as – guns, knives, and potential IED components. Green shows inorganic materials like those used in homemade explosives. Grey scale is used for recognition of shapes and the form of objects.

At 3DX-Ray, we decided that the mail room scanner needed to be brought into the 21st century. So, we developed the AXIS CXi cabinet scanner, which uses the same colour differentiated scans as airport scanners, making it easier and quicker to determine, not only if there is a threat, but what type of threat. A further major innovation is in the design itself, it has an altogether more pleasing aesthetic, with an extra- large inspection chamber, whilst maintaining a small footprint. So not only can it scan mail and parcels, but it can also scan bags up to and including aircraft cabin bags. Finally, we put it on wheels, so it can be wheeled out into a corporate foyer or hotel lobby in times of raised threat levels. Of course, it has all you would expect from any modern electronic device, such as user-friendly touch screen controls, high image resolution and image processing software. The AXIS CXi is a leap forward for mail room security, as well as being a real utility tool for reasonable corporate security.

Because in the corporate world, time really is money!


Vincent Deery is the CEO of 3DX-Ray Ltd.