By Robert Hackett
January 16, 2016

For the third time, the wily Mexican drug kingpin Joaquín Guzmán Loera has been apprehended by government authorities. The story bears all the hallmarks of any good cybersecurity thriller: evasion, deception, espionage, hamartia.

Investigators began tracking the infamous narcotics tycoon, also known as El Chapo (or “Shorty”), after his daring escape from a maximum-security federal prison last year. His accomplices had burrowed for a mile to a spot underneath his cell’s shower, allowing him to flee underground on a rail-guided motorcycle. The drug trafficker had made another legendary escape more than a decade prior, carted out of a holding facility while hiding inside a laundry basket. (Yes, a laundry basket.)

Following the latest improbable breakout, law enforcement agents appear to have monitored the cartel boss’ communications with Mexican actress and sympathizer Kate del Castillo. The Mexican news outlet Milenio this week published the contents of intercepted Blackberry Messenger chats between the two here. (Take a gander at a translated version on CNN.) Aside from the obviously piquant thrill that accompanies peeking into the private lives of the celebrity pair, one must wonder: How did this breach bring about El Chapo’s third and most recent downfall?

Del Castillo isn’t the only star implicated in the drug trafficker’s arrest either. After the actor-activist Sen Penn’s riveting, if fawning, Rolling Stone feature appeared last week, people speculated that his operational security procedures might be to blame for the cocaine chief’s re-capture. Cybersecurity experts questioned Penn’s protocols, calling some of his magazine descriptions “incomprehensible…gibberish,” as Kashmir Hill at Fusion reported. (Penn self-identified in his story’s first paragraph as “the single most technologically illiterate man left standing,” so there’s that.) In the end, Penn declared that his “article has failed”; but more importantly, did his attempts at operational security fail, too?

For those with the time, I recommend sifting through theories and analyses contained in the comments section of this post by the computer security blogger Bruce Schneier. In any case, it’s unlikely that all of the hunt’s details will fully surface. If the reports are to be believed, then Penn and del Castillo’s visit to the drug lord’s mountain hideout provided necessary intel to pinpoint the suspect’s location. That incident didn’t immediately lead to his arrest; however, a few months later, after an initially unsuccessful raid, Mexican marines finally nabbed him.

All this goes to show just how utterly important it is for people in precarious situations to practice excellence in operational security. (El Chapo’s case is exceptional, of course.) After all, Mexico’s most wanted man’s own son reportedly leaked his location earlier through a careless photo upload.

The best tactics are easier spoken than obeyed: Don’t reveal information. Compartmentalize. Avoid letting the details of your personal life bleed into your professional one. Opsec, as the pros call it, too often is a losing game. It only takes one slip-up—one tragic flaw—to give oneself up.

Robert Hackett


Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber, PGP encrypted email, or however you (securely) prefer. Feedback welcome.


You May Like