Issue #53 | Cyberattacks and Food Safety | Root Cause: E. coli in Leafy Greens | The 4 Big Companies Profiting from Misery
Issue #53 | Cyberattacks and Food Safety | Root Cause: E. coli in Leafy Greens | The 4 Big Companies Profiting from Misery
2022-08-29
Welcome to The Rotten Apple, an inside view of food integrity for professionals, policy-makers and purveyors. Subscribe for weekly insights, latest news and emerging trends in food safety, food authenticity and sustainable supply chains.
Threats to Food Safety from Cyber Attacks
Pathogenic E. coli in Leafy Greens - a root cause analysis
The Food Safety Aspects of Sous Vide (for paying subscribers)
The Big Four Companies Benefitting from High Commodity Prices
News and Resources Roundup (Now Bigger and Better!)
Food fraud incidents, updates and emerging issues
🎧 On the go? Listen to me read out today’s email. Get access to audio with a paid subscription, (free trial at the bottom of this email) 🎧
Hi there,
Welcome to Issue #53, and welcome to The Rotten Apple community if you are new here.
Shoutout to the lovely Lynnette from South Africa, who is taking time from her busy day to send me news of food fraud incidents from her region. Our aim is to cover all regions globally, but the search software and bots aren’t infallible, so it’s fabulous to have ‘eyes on the ground’ in different countries. If you have any food fraud news to share, please tell me (reply to this email or write to therottenapple@substack.com).
I had a great email conversation last week with Roger from an almond and walnut processing business in California. Roger thanked me for the “obvious quantities of work you put into The Rotten Apple.” and said I make it look “effortless” - what a compliment! He went on to say:
“You appear to be the kind of person who, just for the fun of it, would climb Mt. Everest without a rope. And take a deep and unassisted breath at the top!”
Thanks, Roger, like many of us, my work does feel like a mountain in need of conquering at times. Coincidentally, I do enjoy rock climbing and other extreme sports. In fact, I’m travelling to Italy to compete in the World Windsurfer Championships in October.
This week’s issue of The Rotten Apple examines the food safety risks from cyberattacks. The food industry is as vulnerable as any other when it comes to the financial and data-confidentially risks from malicious cyber activities. However, the food safety risks are also real - scary stuff!
Also this week, I share what I learned in a root cause analysis of leafy greens-linked E. coli outbreaks.
There’s a special supplement just for paying subscribers about the food safety aspects of sous vide - I have to admit this new(ish) form of cooking was a bit of a mystery to me until recently. Plus a disturbing look at who’s profiting from the current high global food commodity prices.
As always, this issue ends with food fraud incidents and horizon scanning news, below the paywall.
Have a fabulous week,
Karen
P.S. Please keep sharing these emails with your friends and colleagues. A wider readership helps me to keep creating high-quality, independent content… climbing the food integrity mountain!
Insight
Cyber attacks: your food business is at risk
What sort of apps are you using in your food business? An ERP (enterprise resource planning), a recipe management system, food safety record-keeping software, cool room monitoring…..?
When software like digital food safety record-keeping systems are developed, the development process usually aims to create a ‘just-good-enough’ functional app in as short a time as possible, so that it can be launched and used in the real world, then improved after it has been launched. With this development model, security measures can sometimes be a low priority for app designers.
Apps that handle money and personal information need strong security features, and developers are of course aware of this. But an app that captures temperature data in a food business might not receive the same level of attention to security. According to Sean Duca from Palo Alto Networks, a major cyber security company, developers often misjudge the risk, thinking their software would not be a security target.
He says that cyber security [in apps] is often an afterthought.
In the agriculture sector, awareness about the risk of cyber attacks is growing. John Deere tractors are just one of many types of machinery that now come with sophisticated software, including internet connectivity. The software allows John Deere to monitor and control certain aspects of a tractor’s performance. Famously, this feature was used to “brick” tractors that were stolen from a Ukrainian farm equipment dealership by Russian troops earlier this year. To “brick” is to render a vehicle unresponsive and inoperable, like a lump of useless metal, or a brick.
The remote control features in John Deere equipment were created to protect the company’s intellectual property and ensure that vehicle owners are obliged to pay John Deere for repairs, upgrades and access to information collected using the tractor’s built-in technology. But this connectivity can also allow bad actors to get into the tractors.
Last week an Australian hacker broke into the software in a John Deere system and installed a video game, to try to encourage John Deere to strengthen its security systems. He revealed that the underlying operating system is outdated and vulnerable to attacks.
So if agricultural equipment is vulnerable, is the equipment and software in your food business vulnerable too? Absolutely! According to Leanne Singleton, of FoodSure, food businesses often misjudge their risk from cyber attacks. Cybercrime and data breaches are an issue that food production and food safety teams just won’t talk about, says Ms Singleton. It’s not our area of expertise, and we tell ourselves that we are not attractive targets anyway. However, cybercriminals will attack any business that is vulnerable, “because they can”, she says.
In May this year, JBS USA, part of the world’s largest meat processing company, fell victim to a cyberattack. The attack affected computer servers for some, but not all of JBS’s operations, and impacted production and supply lines, causing ‘lights out’ days in processing operations. The company paid a ransom of $11 million to the attackers, to “prevent any potential risk for our customers”, according to CEO Andre Nogueira.
According to one news story, in the days immediately following the attack, thousands of newly slaughtered carcasses remained in limbo and could not be boned-out because the computer systems for record-keeping and ‘sortation’ were offline. Even if the carcasses could have been processed using manual, paper-based record-keeping methods, the resulting meat was expected to have traceability problems related to gaps in data that would affect shipping documentation, labelling and inventory records.
When the outage occurred, large customers of JBS, like supermarkets and McDonalds acted quickly to source meat from unaffected sites, unsure of how long any supply chain disruption might last and to mitigate the risks of food shortages caused by delays in carcass processing.
Do cyber attacks present a food safety risk?
Many businesses now use digital solutions for food safety monitoring and management. Imagine if your food safety records or traceability records were stolen by hackers, who might demand a large ransom to restore the data.
This, in itself, would be a huge pain in the neck for any food business, but would not give rise to actual risks to food safety. But what if the data from your sensors was compromised? Imagine if you had a canning process and the retort temperatures and pressures were misreported, or if critical limits violations were not reported. This could create deadly food safety outcomes.
Insufficient canning parameters are obviously a critical food safety problem. But even something as simple as misreported cool room temperatures or missed open door alarms could cause spoilage or the growth of pathogens in refrigerated foods.
But surely we are not a target?
Why would a hacker go to the trouble of hacking into a food business’ temperature or pressure sensors? Because they can. State-based cyber criminals are attacking businesses and governments at every level on a daily basis, with the aim of disrupting supply chains, harming businesses and hurting citizens. In fact, it’s estimated that a ransomware attack occurs every 11 seconds.
The hackers behind the JBS attack were linked to Russia and there are state-sponsored hackers trying to disrupt supply chains of enemy states to support their government's agendas.
It’s worth remembering that hackers deploy ‘bots’ to find and exploit vulnerabilities automatically. This means that even targets that might not seem attractive to a human hacker could be attacked by bots.
What can be done?
As a food professional, you probably aren’t a computer security expert. However, awareness is important at every level. This is particularly the case if you are in a small or medium-sized business, or if you are in senior management. The more people in a business who honestly acknowledge the risks posed by cyber-attacks, the more likely that preventive action will be taken.
Organise training for staff about computer security such as how to handle phishing emails, awareness of malicious websites and password protection. This can help keep hackers out of your systems.
Check that your IT contractors and staff have implemented security protocols like spam filters, scans, malware prevention software and frequent data backups for your business.
Include security-related considerations when selecting software for digital management of food safety records and equipment like cool-rooms, ovens, and batching software.
Perform your own outcome-focused cyber risk assessment for food safety risks: within your operations, ask yourself which computer-enabled systems could create a food safety hazard if they were tampered with. Don’t assume that ‘no one would bother with us’, assume that if it’s vulnerable it will be attacked.
Engage a cyber security expert to perform a vulnerability assessment or security audit on your business, including software for production, storage and inventory operations. [By the way, if you know of any security experts who will do this work, let me know, it would be great to share their details with our community].
Be aware that there are mandatory reporting requirements for cyber breaches in most nations. That means if your business becomes the victim of an attack, you are obliged to report it to authorities. The information collected helps governments to understand the risks. Here’s a list of Australian data breaches for 2022. It includes Woolworths, a major supermarket chain and Coca-Cola.
Senior managers and business owners should review insurance coverage, to ensure that losses from cyberattacks are covered. In 2019 it was reported that 68 percent of US businesses had no form of cyber insurance.
Sources:
https://www.abc.net.au/news/rural/2022-08-24/tractor-hack-reveals-food-supply-vulnerable/101360062
https://www.insurancejournal.com/news/national/2021/06/10/618052.htm
🍏 Do you know a cyber security expert willing to work with small to medium businesses to perform one-off audit/threat assessments? Please get in touch, by replying to this email. 🍏
Analysis
How Does E. coli Cause Leafy Greens Outbreaks?
Following last week’s story about the cost of an outbreak caused by Shiga-toxin-producing Escherichia coli (E. coli O157:H7) in leafy greens, it’s time to talk about root causes.
(Reminder: hundreds of millions of dollars of losses were incurred by industry and consumers, all from contamination at just ONE FARM!)
Two outbreaks
There were two unrelated E. coli outbreaks from romaine lettuce in the USA in 2018, with a total of 5 deaths. In addition, 29 people suffered serious kidney failure (haemolytic uremic syndrome), 121 people were hospitalised and there were 272 officially reported cases in total. The smaller outbreak (in terms of numbers of illnesses) was the one analysed by the economists and reported in last week’s story.
Which food(s) made people sick?
The first step in an investigation outbreak usually involves interviewing victims about what they have eaten. It takes up to eight days to become ill with Shiga toxin-producing E. coli (STEC). In these outbreaks, victim food recall information pointed to romaine lettuce as the outbreak source.
The lettuce was traced back to certain growing regions, but it was not possible to trace back to individual farms. In the growing regions, authorities then began taking samples of water, soil and manure, looking for bacteria with an exact genetic match to the bacteria isolated from the outbreak patients.
In the first outbreak, the outbreak strain of E. coli O157:H7 was found in the water of an irrigation canal in the Yuma (Arizona) growing region. The US FDA concluded that the food responsible for the outbreak was romaine lettuce from the Yuma region.
In the second outbreak, the outbreak strain was found in sediment in an agricultural water reservoir on a farm in Santa Barbara County in California. The FDA concluded that the source of the second outbreak was romaine lettuce from that farm.
The two outbreak strains from 2018 were not related, that is, the genetic patterns of the bacteria were not very similar. However, the strain from the second outbreak was closely related to one that caused an outbreak in 2017.
Fresh leafy greens such as romaine and spinach are a common source of E. coli food poisoning. Romaine has been implicated in more STEC outbreaks than other types of lettuces and leafy greens. There are a number of reasons for this.
Romaine lettuce is grown outdoors in the USA and its leaves are close to the ground, which increases the chances that the edible parts of the plant will be exposed to bacteria in soil and water. The lettuces require a lot of irrigation water when growing. They are popular foods, which increases the likelihood of them causing an outbreak, and they are usually eaten raw.
Compared to other lettuces, romaine is open at the top, whereas iceberg lettuce, for example, has outer leaves that are closed and divert water away from the centre, so irrigation water or soil might come into contact with more romaine leaves per plant compared to iceberg.
The lettuce that caused both outbreaks came from farms where there was pathogenic E. coli in water canals or water reservoirs. The presence of the bacteria allowed authorities to conclude that those regions or farms were the sources of the outbreaks.
Good to know: Shiga-toxin producing E. coli is quite rare, compared to ‘generic’ E. coli. Microbiological surveys of hundreds and even thousands of leafy green samples frequently detect no instances of E. coli O157, including surveys of samples that were grown using manure fertilisers.
How does bacteria like E. coli get into or onto lettuce and stay there through washing, packing and other processes?
It is thought lettuces become contaminated from exposure to water or soil that contains STEC from animal sources near lettuce-growing farms. The contamination can be caused by cattle, wild pigs, dairy farms or concentrated animal feeding operations, such as cattle feedlots.
One study noted that water near cattle was more likely to have STEC than other water. You can also find STEC in cattle faeces.
So it does seem that lettuce grown near sources of contamination is more likely to contain STEC. However, we don’t really know for sure how E. coli gets into or onto lettuce. There is evidence that it can be taken into the inside of leaves, rather than always being on the outside of leaves, when plants are exposed to contaminated water or soil.
STEC can be recovered from leaves for many days or weeks after being sprayed onto leaves. Dust that carries the bacteria may also be responsible for some leaf contamination. Once on or in leaves it persists and can be detected for 45 days, or in one study, even up to 177 days.
Research conducted in 2020 showed that the surfaces of spinach leaves have features that help E. coli to adhere to leaf surfaces, with the density of veins on the spinach leaves being an important factor in adhesion. Once attached, E. coli was not easily washed off leaf surfaces, even when the wash water contained detergent and chlorine.
How to prevent outbreaks like this
After the 2018 outbreaks, a number of recommendations were put forward by experts and government agencies. The USA has already passed a law called the “Final Rule for Produce Safety”, but it has not yet been fully enforced. An important part of the produce safety rule is frequent testing of agricultural water to make sure it is free of pathogens.
The two largest growing areas for leafy greens in the USA, California and Arizona, have made their own recommendations for growers, which include having larger buffer zones between concentrated animal operations and leafy green growing fields and categorising sources of water, testing water and even treating water to remove pathogens if they are found.
Sources:
https://www.cdc.gov/ecoli/2018/o157h7-11-18/index.html
https://www.cdc.gov/ecoli/2018/o157h7-04-18/index.html
https://foodsafetytech.com/column/e-coli-on-the-rise-lettuce-explain/
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7510726/
Knowledge Boost
The Food Safety Aspects of Sous Vide (for paying subscribers)
Supply Chains
Food Prices and Profiteering
Did you know that 70 % to 90 % of the world’s grain trade is controlled by just four companies? And at least one non-government agency (NGO) believes that those four companies are profiting unfairly from tight grain supplies and high prices in 2022.
The profits of these four big companies have increased significantly since 2020. Cargill reported a 23 % increase in revenues for the year ended 31st May 2022; Acher-Daniels-Midland made the highest profits in history in the quarter ending 30th June 2022; Bunge’s profits were up 17 % compared to the previous year and Louis Dreyfus had profits for 2021 that were 80 % (yes EIGHTY percent) higher than the previous year.
According to the unnamed NGO, these four companies are not just benefiting from higher revenues due to more turnover, but also from bigger margins, with Archer-Daniels-Midland’s profit margin 22 % higher than the previous year and Cargill’s margin up 28 %.
Wow. With so many people concerned about food insecurity and the looming threat of famine from the current high food prices, these figures are hard to comprehend.
🍏 Read more: https://www.theguardian.com/environment/2022/aug/23/record-profits-grain-firms-food-crisis-calls-windfall-tax 🍏
News and Resources
Our new and improved news and resources section is now better than ever. It’s expertly curated and free from filler, fluff and promotional junk. Click the preview box below to access it.
What you missed in last week’s email
· How much does a food safety incident cost society
· ESG: an indicator of food safety risks?
· Science is amazing but we barely know anything (a new Listeria species is discovered)
Below for paying subscribers: Food fraud news, incident reports, and emerging issues, plus an 🎧 awesome audio version 🎧 (so you can catch up while on the go)
Keep reading with a 7-day free trial
Subscribe to The Rotten Apple to keep reading this post and get 7 days of free access to the full post archives.