Dutch navy frigate tracked by mailing it a Bluetooth tracker

A Dutch navy frigate's location was exposed by a €5 Bluetooth tracker concealed in a postcard, revealing an operational security lapse that has prompted the Ministry of Defence to revise its mail policies.

How a postcard tracked a warship

The security breach involved HNLMS Evertsen, a Dutch air-defense frigate deployed to protect France's aircraft carrier Charles de Gaulle against missile threats. Journalist Just Vervaart from Dutch regional broadcaster Omroep Gelderland discovered that the Dutch Ministry of Defence makes it easy to send mail and packages to military personnel, with full instructions posted online.

Vervaart exploited this publicly available information by mailing a Bluetooth tracker hidden inside a postcard to the warship. The tracker remained active for approximately 24 hours, revealing the frigate's movements from Heraklion, Crete, where it left port and sailed west along the island's coast before turning east toward Cyprus. The device went offline near Cyprus and hasn't been reactivated.

According to Dutch defence officials, the tracker was discovered during mail sorting and disabled. However, the incident has triggered policy changes, including a ban on greeting cards containing batteries and a comprehensive review of mail guidelines.

Why the postcard method worked

The choice of a postcard was strategic. Ministry videos and mailing guidance indicated that envelopes were not X-rayed, unlike packages, making the postcard route more likely to pass through undetected. This detail highlights how seemingly minor procedural differences can create security vulnerabilities.

Opsec lessons for military and civilians

As a military veteran, I understand the delicate balance between allowing troops to stay in touch with families and protecting them from accidentally revealing crucial information. Social media has already proven to be an operational security disaster for militaries, where even innocuous posts can contain valuable intelligence for adversaries.

The Evertsen incident demonstrates that technology has fundamentally changed what constitutes acceptable security practices. Retired Dutch lieutenant general Mart de Kruif explained to Omroep Gelderland: "Nowadays, you can eliminate targets remotely and with great precision, but you do need to know where they are. So, as a frigate, you never want to reveal your location to other people."

This isn't just a military lesson. Technological evolution means practices that were once completely acceptable may now pose critical security risks that haven't yet been incorporated into operational security equations. Organizations across all sectors need to reassess their security practices in light of new technologies and their potential for exploitation.

The incident serves as a reminder that operational security must evolve continuously as technology advances, and that even well-intentioned policies designed to maintain troop morale can create unexpected vulnerabilities when combined with modern tracking capabilities.