165 | 7 Food Safety Risks for 2025 | Food Defence Case Study | Crackers |
Plus a nice note and lizard meat fraud
Food defence case study: cyberattack threatens allergic consumers
7 food safety risks for 2025 and beyond
Food safety news and resources from around the globe
How crackers are made (just for fun)
Food fraud news and incidents (now with monitor lizard meat)
🎧 Listen Now 🎧
Hi,
Welcome to Issue 165 where I change my mind about a food defence issue, based on a recent incident allegedly perpetrated by a disgruntled ex-employee of Disney World. The case didn’t just make me question my assumptions about cyberattacks and food safety, but had me questioning the whole concept of food defence.
Also this week, seven food safety risks that are growing or changing, as described by experts at a recent industry event in the United Kingdom and food fraud news which includes a story with lizard meat, a warning for butter and controversy about honey testing.
Thanks for reading, and for supporting my efforts to bring you the most interesting food safety and food fraud stories from around the globe every week (it’s a tough job, but someone has to do it! 😊
Karen
P.S. Here’s some feedback from Issue 163. “Thanks, Karen, for a wonderful positive story on our Safe Melons programs…. Your independent… commentary… is greatly appreciated. I’m very impressed with your deep dive into the report to extract useful information (opposed to catch phrases on socials). Once again thanks for your time, effort and commitment. Regards SP”
Food defence case study: cyberattack threatens allergic consumers
Last year I explored the food safety risks posed by cyberattacks and concluded that an undetectable intentional adulteration incident would be incredibly difficult to perpetrate using computer systems alone.
🍏 Issue 113: Are Cyberattacks (Really) a Food Safety Issue? 🍏
In that post, I discussed various scenarios and shared examples of possible cyberattacks on food and beverage operators, including security camera feed hacks, industrial control system hacks and personnel access system hacks.
At the end of the post, I concluded “However, without the assistance of an insider, or a physical presence in the facility, perpetrating an undetected food adulteration event using computer systems alone would be difficult.”
Now I’m rethinking that conclusion.
Do cyberattacks pose threats to food safety?
Yes, cyberattacks pose threats. But in the past, I’ve argued the risks of a food safety incident arising solely from a cyberattack, unassisted by an insider or intruder with ‘boots on the ground’ are low.
Reminder: Threats are not the same as risks. A threat is a potential event or action that could cause harm or damage, while a risk is the likelihood and impact of a threat actually occurring.
What are the risks?
In Issue 113 I focused on food adulteration risks – that is the risks from a harmful adulterant being intentionally added to food for the purpose of causing harm.
Cyberattacks certainly cause serious financial losses and major disturbances to food supply chains - a ransomware attack on the world’s largest meat supplier, JBS S.A., in 2021 caused disruptions to every JBS processing facility in the United States, costing millions of dollars - but there are few scenarios in which a cyberattack can directly cause food adulteration without it also being easy to detect.
For example, if a cyberattack affected the PLC system (programmable logic controllers) of a food manufacturing line, the food could end up undercooked, or overdosed with additives, but these failures would likely be detected during the course of normal operations.
In fact, despite finding many instances of harm caused to companies by cyberattacks, I could not find evidence that a cyber attacker had ever managed to adulterate food from an off-site location.
New information
Last week I learned of a cyberattack that posed serious risks to certain consumers. The attack was perpetrated solely from a personal computer, with the perpetrator not needing to enter the food business.
It’s a chilling story: a disgruntled ex-employee of Disney World with access to menu creation software for their theme park restaurants has been accused of manipulating menus to make it appear that foods containing peanuts were safe for allergic individuals to consume.
The results could have been catastrophic for allergic consumers, although fortunately, it appears no one was hurt.
The FBI alleges that the employee, who had been the Menu Production Manager, accessed the menu software – a third-party product called Menu Creator – and made unauthorised changes to Disney World menus over a period of three months.
In addition to adding information which falsely labelled certain items as safe for people with peanut allergies, the FBI alleges the ex-employee also changed the price of certain items, changed fonts and altered QR codes to direct users to controversial websites.
What’s different about this incident, compared to a typical food defence incident, is that food was not adulterated. Nor was there any threat of adulteration or any intention to adulterate. The threat was solely related to misinformation.
Here’s a question: for an incident like this, with no actual adulteration, is it correct to call this a food defence issue?
Was this incident a food defence issue?
For me, the answer is clear: yes. If protecting consumers from malicious actions isn’t food defence then I don’t know what else it could be.
However, let’s check the definitions:
The FDA says “Food defense is the effort to protect food from acts of intentional adulteration or tampering.” United States Food and Drug Administration
The Global Food Safety Initiative (GFSI) says food defense is “The process to ensure the security of food, food ingredients, feed, or food packaging from all forms of intentional malicious attack including ideologically motivated attack leading to contamination or unsafe product.” GFSI Benchmarking Requirements version 2020.1, via FSSC
Do these definitions apply to an incident where food has not been adulterated or tampered with? The FDA definition does not, because it’s about protecting food from tampering, whereas in the Disney World incident the tampering did not affect the food, but the menu.
The GFSI definition of food defence is also unsuitable for this incident, because it is about protecting food, feed and packaging from contamination, with no room in the definition for incidents that don’t involve contamination.
Does this mean we shouldn’t address vulnerabilities like menu tampering and allergen misinformation in our food defence programs? Nope. But it does mean our definitions might need to be adjusted.
What can we learn from this incident?
Food and beverage operators have a legal and moral obligation to protect their consumers from malicious actions connected to their food. The alleged incident with Disney World’s menus could have had deadly consequences for peanut-allergic consumers.
A lawyer might argue that Disney World failed to protect its consumers if the menus had made it into restaurants. Fortunately, the other changes to the menus alerted staff that they had been tampered with and the menus were not distributed.
The person accused of the tampering denies any wrongdoing. While employed he had legitimate access to his employer’s menu editing software and may have retained access after his employment ceased or gained access using the credentials of former colleagues.
It is possible – even likely – that the departments responsible for removing or resetting IT access for terminated employees were unaware of his access to the menu software. If they had been aware, they may have considered such access inconsequential and not worth worrying about.
Key learnings:
Menu software might seem like non-critical software in relation to food defence and cyberattack protection, however, a tampered menu poses threats to consumers. Menu software could therefore be considered a potential vulnerability in food defence systems.
Menu software may be less well protected than other software when it comes to unauthorised use.
When employees leave a food business, their access to critical systems would usually be removed, however, obscure and less-critical systems could be easily missed. Such systems should also be checked.
Menu software should have the same level of log-in protection as other critical software – for example, multifactor authentication and best-practice security protocols.
Businesses that use menu software should review access for employees and check that software uses current best practice security protocols.
In short
🍏 Food defence incidents usually involve tampering with food 🍏 This incident did not involve food directly, instead menus were tampered with, allegedly to cause harm to peanut-allergic consumers 🍏 The incident was perpetrated using software that might normally be considered non-critical for food defence and cybersecurity 🍏 Access to the software may have been retained by a disgruntled ex-employee who allegedly caused the incident 🍏 Menu software is a potential vulnerability in food defence systems 🍏 Businesses that use menu software should review access for employees and check that software uses current best practice security protocols 🍏
Main source:
O’Kane, C. (2024). Former Disney employee accused of hacking menu system and changing peanut allergy information. [online] Cbsnews.com. Available at: https://www.cbsnews.com/news/disney-employee-michael-scheuer-hacking-menus-peanut-allergy/.
7 Food Safety Risks for 2025 and Beyond
Food safety and food fraud experts have described 7 growing or emerging food safety risks at an event hosted by Food Manufacture. I list them briefly here and encourage you to check out the original article in Food Manufacture.
Allergens
It’s no surprise to see allergens on a list of growing food safety issues. Sadly, many wealthy countries continue to experience growing numbers of allergic consumers. This means the potential impact of any allergen mistake is becoming larger – and around half of all recalls are related to allergen mistakes.
But it’s not just the increasing number of allergic consumers that is the problem, there are increasing numbers of exposure points in our food chain as we change what we eat. For example, plant-based protein foods and milk alternatives are now using more diverse plant sources, such as pea proteins, which can pose risks to consumers with allergies to other legumes, but are not subject to the same allergen warning labelling rules.
Similarly, insect proteins pose potential risks to people who are allergic to crustaceans and seaweed-containing foods are poorly understood when it comes to allergenicity.
New food fraud risks
I wrote about emerging and growing food fraud risks extensively in Issue 157. The experts at the Food Manufacture event also mentioned food fraud risks as a growing risk to food safety. They talked about the risk of fraud in the supply chains of plant based protein foods, which are expected to form a larger part of diets in wealthy countries in coming years.
Comment: Plant-based protein powders are particularly vulnerable to food fraud. Find out why in Issue 15.
🍏 Issue 15 | A New Risk for Plant-based Foods 🍏
E-commerce and dark kitchens
Online retailers and marketplaces like Amazon remain something of a ‘wild west’ when it comes to monitoring, rules and enforcement. Unfortunately, they are a great place for bad actors to sell foods and supplements that are expired, unsafe, counterfeit, diverted or illegal in the buyer’s country.
In this week’s food fraud news, I share how a company that produces dietary supplements for pets has had to recall stock that isn’t even their product after they discovered potentially unsafe copies (counterfeits) were being sold online.
Why is e-commerce a growing risk? Because more and more of us are buying more and more products online. The experts at the Food Manufacture event also mentioned ‘dark kitchens’, a mode of food production that is relatively new.
🍏 Read about the food safety risks of dark kitchens in Issue 101 🍏
Recycling and recycled materials
The food industry and food packaging industry are being encouraged to use more recycled materials and recycled water for food and packaging manufacturing. But any increase in recycling comes with a whole suite of food safety hazards, from improperly treated wash water to chemical impurities in post-consumer recycled resins.
An interesting and unexpected risk from recycling, highlighted by Alison Johnson of Food Forensics at the event, is that some recycled polymers can contain levels of bisphenol A (BPA) which used to be considered safe and ‘legal’ but are no longer suitable.
Cyberattacks and food terrorism
The risk to farms, ranches and food processing facilities from cyberattacks is “growing exponentially” said an FBI agent from the Omaha field office in a recent symposium about threats to agriculture. He also said the threats are evolving, becoming more complex and more severe. As we are now more reliant than ever on information technology and cyber systems, we are also now more vulnerable.
Climate change
Global warming is changing where certain crops can be grown, with areas that were previously unsuitable for a certain crop now being suitable. However, when farmers grow a crop that is new to them, their production systems can be more vulnerable to food safety incidents due to immature agricultural controls and a lack of knowledge of food safety best practices. While the food safety hazards won’t be new, new places and products will be affected.
Comment: Aflatoxin contamination of grains, nuts and dried fruit seems to be more commonly flagged in food safety alerts like RASFF these days. Could it be that areas which used to be too cold or dry for aflatoxin formation are now vulnerable but that local storage protocols have not yet changed to reflect the warmer, moister conditions?
Lack of food safety professionals
It’s a worldwide problem: not enough food safety professionals.
Sadly, the problem is getting worse as more experienced professionals continue to retire from the workforce. More than 13 percent of food hygiene officer roles in local authorities in England, Wales and Northern Ireland are vacant.
With the loss of experienced professionals comes a loss of knowledge and fewer opportunities for new recruits to be mentored. Food safety only happens when knowledgeable people create good systems and ensure they are working correctly. Less food safety knowledge poses serious risks to effective food safety systems.
Comment: food safety professionals have been talking about this issue for years, but I don’t think I’ve ever seen it described as a direct and growing threat to the safety of our food. It’s a good way to frame this very tricky problem.
The main source for this post is:
Grylls, B. (2024). 7 major food safety risks. [online] foodmanufacture.co.uk. Available at: https://www.foodmanufacture.co.uk/Article/2024/10/29/2024-food-safety-risks
This week’s food safety news roundup
What’s going on with poisonings in South Africa? Children are dying, store owners are being arrested and mysterious chemicals are being linked to deaths. Scary. Also this week, another pathogenic E. coli problem in the USA, 2 free webinars and more.
Check it out by clicking the preview box below.
How Savoury Crackers Are Made (Just for Fun)
This 1-minute video is totally safe for work (if your colleagues don’t mind music from The Beastie Boys) and provides a mesmerising view of cracker manufacturing. Love the beautifully moulded plates that make the holes in the top of each cracker!
Tiktok failed to load.Enable 3rd party cookies or use another browser
Below for paying subscribers: Food fraud news, horizon scanning and incident reports
In this week’s food fraud news:
📌 Wine authentication;
📌 Honey controversy;
📌 Pet food supplements, lizard meat fraud;
📌 Warning for butter.
Become a paid subscriber to access The Rotten Apple’s food fraud news.
Keep reading with a 7-day free trial
Subscribe to The Rotten Apple to keep reading this post and get 7 days of free access to the full post archives.