When a Zoo Gets Hacked
The Dallas Zoo Incident and What It Teaches Us About Social Engineering
The case is closed. This past November, news broke that all charges against Davion Irvin, the man accused of cutting enclosures and stealing animals from the Dallas Zoo in early 2023, had been dismissed back in June 2025. Court records obtained by The Dallas Morning News revealed that Irvin was found incompetent to stand trial and had already served more time than the maximum sentence.
The timing of this news, combined with conversations at the IAAPA Expo (International Association of Amusement Parks and Attractions) in November, makes this the right moment to examine what happened from a security perspective. Irvin didn’t just randomly grab some monkeys. He systematically gathered intelligence, exploited trust, and identified vulnerabilities in both physical infrastructure and human behavior.
In cybersecurity terms, he hacked the zoo.
At IAAPA Expo, this incident kept coming up in conversations. And uncomfortable questions, could this happen at our facility? What should they be looking for? How do you train staff to spot the difference between someone who’s genuinely curious and someone who’s causing your operation? Should we run tabletop exercises or drills?
Those are exactly the right questions to be asking.
What Actually Happened: A Timeline
Let’s start with the facts. In January 2023, the Dallas Zoo experienced a series of incidents over two and a half weeks that forced multiple closures:
January 13: Nova, a clouded leopard, escaped after someone intentionally cut her enclosure. The zoo immediately declared a “code blue” and closed to the public while staff conducted an hours-long search involving helicopters, infrared drones, and a precautionary SWAT team. Nova was found safe on zoo grounds later that day. During the search, staff discovered cuts in the langur monkey habitat as well, though none of those animals escaped. The zoo reopened the following day.
January 21: Pin, an endangered lappet-faced vulture, was found dead with suspicious wounds. The zoo announced a $10,000 reward for information leading to an arrest. (The US Fish and Wildlife Service later determined this was likely predator-related and unconnected to the other incidents. Just bad timing.)
January 29-30: On the night of January 29, two emperor tamarin monkeys, Bella and Finn, were stolen. Police would later find intentional cuts in their habitat large enough for a person to get through.
January 30-February 1: The zoo was closed Monday through Wednesday due to an ice storm that hit North Texas. The monkey theft was discovered on January 30, while the zoo was already closed due to the weather. The timing meant staff couldn’t respond in real-time or investigate immediately; they were already dealing with weather-related closures and the operational challenges that come with protecting animals during extreme cold.
January 31: Acting on a tip, police found the monkeys in a closet at a vacant home in Lancaster, Texas. The house also contained multiple cats and pigeons. According to arrest affidavits, police also found dead feeder fish and fish food that had disappeared from a staff-only area of the zoo earlier in January but had not been reported stolen at the time. The zoo increased the reward to $25,000.
February 2: Irvin was arrested at the Dallas World Aquarium. where employees recognized him from surveillance footage and reported that he was asking suspicious questions about their animals and enclosures.
According to arrest affidavits, Irvin visited the Dallas Zoo multiple times over three or four days before the thefts. He bought tickets like any visitor, rode public transit, and critically spent those visits asking zoo staff very specific questions.
The Cascading Impact of Security Incidents
Here’s what often gets lost: these incidents didn’t just threaten animal welfare; they shut down operations, consumed massive resources, and put employees/guests at risk.
The January 13 closure for Nova’s search meant lost revenue, cancelled programs, and staff searching 106 acres instead of caring for animals. Then came the weather closure. Discovering that monkeys had been stolen while already closed, dealing with ice storm complications, and being stretched thin. That’s when incidents compound into a crisis.
Imagine that call: your facility is closed due to weather, you’re running skeleton crews, and an enclosure has been cut, and animals are missing. You can’t bring extra help; roads are iced over. You’re trying to protect every animal from the weather while responding to what’s clearly a criminal pattern, while keeping employees safe.
Security incidents at zoos aren’t just about immediate theft; they create operational chaos that ripples through every function.
Recognizing the Reconnaissance Phase
Irvin didn’t just show up one night with bolt cutters. He conducted reconnaissance over multiple visits, asking zoo staff specific questions about how monkeys were cared for and housed, when staff arrived for morning feedings, how late they stayed on site, and details about the clouded leopard.
Staff found these questions odd enough to remember them. But they answered them.
I’ve worked around zoos, from a research associate studying gorillas to volunteering in commissaries, and I understand the culture. Zoo professionals love their animals and are passionate educators. When someone shows genuine interest, you want to engage. That enthusiasm makes zoos special and magical. But we need to train staff to recognize when questions cross from curiosity into reconnaissance.
At IAAPA, this challenge kept coming up: How do you maintain that welcoming, educational environment while protecting operational security? How do you teach employees to spot the difference between “Tell me about the tamarins!” and “What time does someone check on them in the morning?”
The answer is training. Specific, scenario-based training that helps staff recognize suspicious patterns, not just a one time workshop, but as often as possible.
Social Engineering in Physical Space
In cybersecurity, social engineering is when attackers manipulate people into divulging confidential information or compromising security. We usually think of phishing emails, pretexting calls, or even those annoying texts that ask, “Are you working today?” But social engineering is also in physical environments.
Irvin’s approach had all the hallmarks of a social engineering attack: gathering information through multiple visits, establishing legitimacy as a normal visitor, exploiting staff trust, eliciting details through innocent-seeming questions, then using that intelligence to execute the thefts.
This is the same attack pattern we see in corporate espionage and in targeting critical infrastructure. The venue was different, but the methodology was textbook.
What makes it particularly insidious: Irvin told police he loved animals and would do it again if released. His motivation wasn’t malicious in the traditional sense; he wasn’t trying to harm animals or extort the zoo. But that almost makes it harder to detect. He could present as enthusiastic and knowledgeable, someone who genuinely cared.
What the Dallas Zoo Did Right
Before we talk about what other facilities can learn, let’s acknowledge what the Dallas Zoo did well. They took it seriously. After Nova’s escape, they immediately involved law enforcement and launched a criminal investigation, not dismissing it as a one-off accident. They responded quickly after each incident, doubling security measures, adding motion-detection alarms, solar-powered surveillance towers, additional guards, and improved fencing. They even brought in outside consultants for a comprehensive assessment.
They communicated openly with the public and city officials. In a February 21 presentation to the Dallas City Council, Sean Greene, Chief Operating Officer of the Dallas Zoo, acknowledged the failures directly: “It’s unacceptable the criminal acts that took place. It’s also unacceptable that one of those security layers somewhere broke down.” That’s the kind of transparency that builds trust.
In the months following the incidents, they’d spent over $1 million on security upgrades. They successfully lobbied for $30 million in Dallas’s 2024 bond program for continued improvements. The American Zoo Association (AZA) stood behind them, correctly identifying them as victims, and other facilities used it as an opportunity to review their own protocols.
Lessons for Other Facilities
So, what should zoo and aquarium operators take away from this?
1. Train staff to recognize and respond to suspicious questions
Your employees and volunteers need specific guidance on what constitutes suspicious questioning. Understand the difference between “How do you take care of these animals?” (appropriate) and “What time do staff check on these animals in the morning?” (suspicious).
Create clear protocols: If someone asks about schedules, access points, security measures, or operational details, staff should provide vague, general answers, not volunteer specific times or procedures, and report the interaction to security or management.
2. Conduct tabletop exercises for physical security incidents
Tabletop exercises are standard practice in corporate cybersecurity; organizations regularly practice their response to ransomware attacks, data breaches, and system compromises. But zoos and aquariums typically don’t run these exercises for cyber-physical security incidents, and they should.
Consider: if you discovered an animal theft right now, who would you call? Would they be reachable? Would your security team be able to respond? Do you have backup personnel identified? What if they hacked your security system and took your cameras offline? These exercises reveal gaps before you’re dealing with an actual crisis.
3. Implement behavioral indicators training
The cybersecurity world has gotten better at recognizing patterns of behavior indicating malicious intent before incidents occur. The same principles apply in physical security: multiple visits in a short timeframe, extensive photography of non-public areas or security infrastructure, questions about routines and procedures, attempts to access staff-only areas, and engaging employees in ways that don’t feel like probing for information.
Train your team to recognize these patterns and report them. Create a culture where it’s expected to report concerns without fear of being labeled as overreacting.
4. Review access control for both physical and digital systems
Irvin jumped a perimeter fence after dark, a physical access control failure. But access control extends beyond fences: Who has keys or access cards to what areas? Are staff-only areas clearly marked and monitored? Do cameras cover vulnerable areas? Are your cameras using default login credentials? Who has access to the cameras, and where is that data stored? Can security respond quickly to alerts? Are there coverage gaps during shift changes or after hours?
And don’t forget digital access control. Your facility management systems, camera networks, and operational technology are part of your attack surface. Strong passwords, multi-factor authentication, and least privilege aren’t just IT concepts; they’re essential for protecting physical infrastructure, animal safety, employee safety, and guest safety.
5. Consider the insider threat
Irvin wasn’t an insider, but he used insider information gathered from staff. When employees share details about schedules, procedures, or security measures, even innocently, they create vulnerabilities.
Your passionate, knowledgeable staff make these institutions special. But they’re also potential targets for social engineering. This challenge isn’t unique to zoos; across critical infrastructure and operational technology environments, the people running essential systems are simultaneously your strongest asset and your biggest vulnerability. The key is training them to recognize the difference between genuine interest and exploitation.
Why Physical and Cyber Security Are Inseparable
One of the most interesting aspects of this incident is how it illustrates the inseparable nature of physical and digital security. The Dallas Zoo’s response, motion-detecting cameras with alarms, security consultants assessing technology infrastructure, and annual third-party evaluations, shows that modern facilities are cyber-physical systems.
Your cameras, access controls, environmental monitoring, and facility management all run on networks. Those networks need to be secured with the same rigor you’d apply to any other critical infrastructure. And your staff needs training that addresses both physical and digital threats.
This is exactly the link I discussed at IAAPA. The threats don’t fit neatly into “cyber” or “physical” categories. Social engineering bridges both worlds; an attacker who gathers operational routines can use that intelligence to time a physical breach, disable cameras, distract employees, or exploit coverage gaps.
Looking Forward
The Dallas Zoo incident became a catalyst for change across the industry. Texas legislators introduced bills elevating trespassing in animal enclosures to a felony. The zoo hired CEO Lisa New, emphasizing renewal, opening new habitats, expanding programs, and maintaining enhanced security.
For zoo and aquarium operators: you don’t need a million-dollar budget to take action:
Begin with staff training this week.
Review the incident response next week.
Conduct a tabletop exercise next month.
What you can’t afford is assuming it won’t happen to your institution.
Cyber-physical Security Awareness requires recognizing that the threat exists and training your team accordingly. This isn’t about turning zoos into fortresses. It’s about protecting the animals in our care, the staff who dedicate their lives to conservation, and the visitors who trust us.
The Dallas Zoo case is closed, but the conversation about zoo cyber-physical security is just beginning.
Stay safe, Stay curious,
Kristin King
