The audacious Hatton Gardens heist that took place over the Easter bank holiday weekend has been lauded as a “great heist” and “worthy of a movie” by certain parts of the internet.
It is very obvious that the gang that carried out the raid were extremely organized, sophisticated, and well connected.
Before the robbery actually took place, there are now suspicions that the criminals deliberately started a fire at nearby Holborn. The fact that the fire was started in the week before the attack and took hold only 500 yards from the vault whilst causing major power outages and chaos, does seem to be more than just a coincidence.
The gang made it inside the Safety Deposit lock up on Thursday 2nd April. They then spend Thursday, Friday and most of Saturday completely unchallenged by any member of the security forces or general public, jamming the lift, drilling through the 2 metre thick lift shaft and vault to reach the deposit boxes and opening 70 of the safes to find the treasure inside. They removed their haul on Sunday, by dragging loaded wheelie bins into an unmarked white van parked outside the building.
The break in wasn’t discovered until Tuesday morning, when Hatton Gardens Safety Deposit workers discovered the pile of rubble and damaged security boxes in the basement of their building, and called the police.
There has been on and offline criticism directed against the Met, after they issued a statement admitting an alarm sounded on the vault in the middle of the night on Good Friday, but it was ignored and no officers were sent in response.
What went wrong?
The missed alarm
Scotland Yard released a statement about the missed alarm: “We have established that on Friday, 3 April at 00:21hrs a call was received at the MPS Central Communications Command (MetCC) from Southern Monitoring Alarm Company. The call stated that a confirmed intruder alarm had been activated at the Hatton Garden Safe Deposit Ltd. The call was recorded and transferred to the police’s CAD (computer aided despatch) system. A grade was applied to the call that meant that no police response was deemed to be required. We are now investigating why this grade was applied to the call. This investigation is being carried out locally. It is too early to say if the handling of the call would have had an impact on the outcome of the incident.”
It seems a little disingenuous by the Met to say that they are not sure if the handling of the call would have had a positive impact on the raid. If the police had turned up on site, they would have been ideally placed to make at least SOME kind of impact on the ongoing robbery.
Are the Police being Criticized Unfairly?
Yes they are. The Hatton Gardens Safety Deposit building had already suffered a significant number of false alarm activations. It is policy that all remote signalling alarms that terminate at approved central monitoring stations, like those at the Hatton Gardens building, are registered with the police and identified by a unique reference number (URN). The police response to their activation will be based on the assumption that an offence is taking place, but “against the background of competing urgent calls and available resources”. Such a response is also be conditional upon the number of false activations in any 12 month period, in which case the activation may receive a “lower priority police attendance”.
So, due to the sheer number of false alerts from the Hatton Gardens building over the last year, the police system automatically flagged the response grade to “no response” on their URN. It is also the alarm company’s responsibility to contact the key holder, not the police.
Usually, this system is very smooth (a typical alarm call would last around 15 seconds, and the incident creation to response would only take barely a minute), but in this case, the number of false alarm activations in the past had prevented the system from triggering any kind of police response.
Weak Security System
It has been reported that the onsite security guard failed to investigate when he heard the alarm going off on Friday. Apparently, he went downstairs, looked through the doors and windows, and couldn’t see anything, and came out again. When asked why he didn’t open up the building, he said that “he doesn’t get paid enough”.
It’s more likely that the insurance company demanded that in case of any alarm, the police are the one that enters and investigates, not a private security guard. The guard’s instructions were probably something similar to, “do a security sweep of the outside of the building, and if no signs of break in, continue normal patrol. If signs of break in, call the police and observe the building from a safe distance.” But of course, the number of false alarms and lack of any obvious break in clues, would mean that the security guard had no reason to escalate the security response.
The gang’s knowledge of the interior of the Hatton Gardens building, the security procedures and likely police response, makes it almost definite that the raid involved some kind of insider information. And an “aggravated burglary” at the North London home of Manish Bavishi, a director of the Hatton Garden Safe Deposit company is likely to be part of the gang’s job reconnaissance. The Metropolitan Police confirmed the 2013 incident was still being investigated. Worryingly, Mr Bavishi is said to still be on holiday in Sudan and is not answering calls.
How could the raid have been prevented?
If anything, the Hatton Gardens robbery demonstrates that every company needs an in depth and externally provided Physical Security Assessment. A thorough review of the company’s security systems, would have immediately flagged up the following facts:
- The sheer number of false alarm activations. The management of the company should have implemented a process, in conjunction with the alarm manufacturer/installer, to investigate the reason for the excessive number of activations.
- Also, once the false alarm triggers had been removed, the company needed to ensure a mandatory police response every time the alarm was activated, by paying for the response if necessary.
- It was reported that the criminals jammed the lift to gain access to the deposit boxes. Why wasn’t the lift seen as a weak point in the physical security of the building? A physical security assessor would identify that access could be reached through the lift shaft, and remedial solutions put in place.
- Hatton Gardens should have installed a CCTV system that included remote manned PTZ cameras to monitor the external security site 24/7. These cameras should also have had complete building coverage, and be triggered when alarms were activated.
- An assessment would flag up any hidden areas close to the site, and around the actual building. If they were found, then the company should have instigated a “Crime Prevention through Environmental Design” (CPTED) audit, to solve potential areas not covered by CCTV.
- The security guard’s reactions to the alarm activation were exceedingly problematic – an assessment should have been carried out of the existing company security team and their procedures in the event of a criminal attack. A security guard situated inside the building, an annunciator panel system and maybe a triggered light on the alarm system would have been ideal.
- The security system at Hatton Gardens needed visual devices such as a loud alarm or lighting system to let the general public know that something out of the ordinary was occurring. A call by a suspicious bystander would have led to police attendance.
- The company security process needed to ensure that staff were notified when approved utility work was being carried out. If suspicious activity was noticed, an Emergency Notification link would have flagged up the correct company person to contact.
- The four day holiday period is an ideal time to carry out any criminal activity – procedures should have been created to ensure full monitoring over the “down” period.
- Personnel reviews to identify any suspicious employee or director history or activities may have gone some way to weeding out any insider double dealings.
Amongst all the admiring comments online, some have stated that this crime was “acceptable” as it was almost victimless – no one was caused physical or mental harm and distress.
This lack of a physical element to the crime does not mean that it is no less damaging for those who have had their belongings stolen, as well as for Hatton Garden, which is based at the heartland of the jewellery industry, and the UK jewellery trade as a whole.
The raid will have a huge impact on many people’s income, and some may possibly be put of business. The public’s perception of the security around Hatton Gardens has been irretrievably damaged. Compensation claims against the company could run into millions of pounds and even the police could face civil action from insurers trying to recoup losses.
It is unfortunate that the management of the company did not implement a thorough physical security review. It’s also unfortunate that the gang was able to access insider information about the weak security processes at the heart of the Hatton Gardens building.
Hopefully, if nothing else, this high profile raid will convince other companies in the jewellery industry and similar trades, that physical security cannot be ignored, and defense of a building and its contents must be an integral part of a company’s process and plans.
Otherwise is to risk a potentially damaging and even disastrous attack.
For more great articles or to see the original post, visit 2-Sec’s Infosec Blog.
Chris Phillips heads up 2-sec’s Physical Security Consulting Practice and is ex-head of NaCTSO, the UK’s National Counter Terrorism Security Office. At NaCTSO, he was responsible for training, accrediting, tasking and co-ordinating over 250 Counter Terrorism Security Advisors across the UK. Chris pioneered and developed the following security awareness initiatives, which are now deployed globally: Project ARGUS, Know Your Customer (KYC), Secure in the Knowledge, The WRAP Programme, Counting the Cost and the Vulnerability Self Assessment Tool (VSAT). He is one of the few people who can say they are a consultant, speaker and recognised Industry expert and mean it! His speaking typically includes 30 plus keynote speeches a year at major conferences in the UK and abroad. Connect with Chris on LinkedIn and follow him on Twitter for more.