At approximately 10.30 MDT (16.30 GMT), a gunman opened fire on shoppers in a crowded Walmart located in east El Paso. At the time of reporting 22 people have died as a result of the shooting, 24 others suffered varying injuries. The victims include eight Mexican’s, 13 American’s and one German. El Paso shares a border with Ciudad Juarez, Mexico, and the Walmart store is located adjacent to the Ciesto Villa Mall which is a popular destination for El Paso residents and shoppers who make the journey from south of the border.

Reports suggest that the gunman used an AK-47 style assault rifle during the attack, a weapon that he had purchased legally and was able to carry into the store without raising suspicion owing to the state’s law of ‘open carry’. Armed officers attended the scene within six minutes of the attack occurring and began securing the area at 10.45. The gunman fled the scene in a vehicle, before surrendering to a motorcycle police officer at an intersection north of the Walmart store. Confessing to his role in the shooting at the scene, the gunman was later identified as Patrick Crusius, a 21 year-old resident of Allen, Texas.

Subsequent investigations revealed that Crusius had posted a four-page document titled ‘The Inconvenient Truth’ to the online message forum 8chan 20 minutes prior to the attack, having driven for 11 hours from Allen, a suburb of Dallas, Texas. The document, akin to a manifesto, contained praise for the 17 March 2019 attacks against Mosques in Christchurch, New Zealand and described the author’s subsequent attack as “a response to the Hispanic invasion of Texas”.

Crusius was charged with capital murder following his arrest, though at the time of reporting the US Department of Justice is treating the incident as a case of domestic terrorism, with federal firearm and hate crime charges being considered.

Analyst Comment

The El Paso attack occurred within 13 hours of another active shooter incident that took place in Dayton, Ohio. In that attack, the gunman was equipped with a high capacity rifle fed by a 100 round drum magazine, and a bullet proof vest. Targeting a popular nightlife location, the gunman was killed by police officers within 30 seconds of opening fire. Motives for that attack, in which nine people were killed and 27 injured, are still being investigated.

Crusius’ use of the online forum 8Chan is the latest in a developing trend of attackers motivated by extreme right-wing ideology finding common cause and a platform to share their views on the social media forum. Subject only to user moderation, this is the third time this year that active shooter incidents have been proceeded by an open declaration of intent and followed by celebration amongst anonymous contributors to the site’s message boards. The perpetrator of the 17 March attack against Mosques in Christchurch, New Zealand was a prominent member of discussion boards and posted a 73 page declaration of intent that included a link to a livestream of the attack on Facebook. On 27 April, a gunman opened fire on the Chabad of Poway synagogue near San Diego, California; killing one worshipper and injuring three others. Before the attack, the gunman uploaded a manifesto to 8Chan that espoused admiration for the Christchurch attack and support for the perpetrator of an attack against the Tree of life Synagogue in Pittsburgh, Pennsylvania in October 2018 that resulted in the deaths of 11 Jewish victims.

In the days since the El Paso attack, 8Chan has come under intense scrutiny and the site’s creator (who has since relinquished ownership) has called for the site to be shut down. Cloudfare, a company that provides infrastructure security for a host of web content, has withdrawn its support for the site. This has left it open to outside attack and, at the time of reporting, these attacks have rendered it disabled. 8Chan, however, is just one of a number of fora available for extremists to share their views. As recently as 28 July, a 19 year-old gunman opened fire at a food festival in Gilroy, California, killing three people and himself, after urging his Instagram followers to read a novel popular among white supremacists. Earlier this year, two gunmen were reported to have spent over a year planning their attack on the Escola Estadul Professor Raul Brazil School in Sao Paulo, Brazil. Reports suggest that this planning was assisted by members of another forum renowned for its association with far-right contributors, known as Dogolachan. The attack took place on 13 March, resulted in the deaths of 10 people (including 5 school children), and was applauded on Dogolchan.

Outside of mainstream social media sites, online fora such as 8Chan et al are subject to minimal regulation, contributed to anonymously and provide freedom of association for those holding extremist views across the world. Until recently, authorities attempting to combat extremism have focussed their attentions toward extremist Islam and, appropriately, the threat posed by jihadist groups such as Islamic State. Despite warnings from the Federal Bureau of Investigation (FBI) regarding the growing threat of online right wing extremism fuelling the intent of potential domestic terrorists, there has been a reticence to devote resources to the issue in the United States. Intense domestic and global scrutiny in the wake of the El Paso attack may serve to alter this.

On 5 August, President Donald Trump publicly referred to Crusius’ online activities in declaring that “our nation must condemn racism, bigotry and white supremacy”. The President, however, has been subject to criticism since the attack, with some blaming his strong anti-immigration rhetoric for legitimising the views of extremists and creating a hostile environment for America’s Hispanic communities. Many of El Paso’s residents identify as Hispanic, and a visit by the President to the city on 7 August was met with protests. Domestically, this is likely to be seized upon by political rivals as the country heads toward a Presidential election in 2020.

Internationally, the attack has prompted Mexico to break from recent diplomatic acquiescence with the United States. The Mexican Foreign Minister, Marcel Ebrard, cited Crusius’ targeting of the Hispanic community and the loss of eight Mexican citizens in declaring the attack as an act of terrorism against the Mexican-American community and Mexican nationals. As a result, Mexico is seeking to increase protection for its citizens in the United States. Whilst demanding a role in any investigation, there have been suggestions that the Mexican authorities may also seek Crusius’ extradition to stand trial south of the border. Whilst the United States and Mexico have a long standing bilateral extradition treaty, this request is unlikely to be granted in relation to a US citizen who is already facing charges for the same crime. In a bid to apply further pressure to the US, Ebrard also indicated that Mexico may seek to file a law suit against the vendor who sold Crusius the weapon he used in the attack. Similar lawsuits filed by US citizens in the wake of previous active shooter incidents have had limited success, suggesting that the value of any such challenge may be mostly symbolic.

US gun laws are often brought under intense scrutiny in the wake of such attacks, and diplomatic pressure from Mexico will serve to fuel debate north of the border that incites a passionate response from all sides of the debate. Studies suggest that support for stricter gun control tends to spike as the media focusses on the aftermath of attacks. Such spikes, however, tend to fade commensurate with the amount of air time given to the attack. Whilst the 2020 Presidential race may serve to embolden candidates who seek to utilise the current climate to push for stricter controls, any reform is likely to be incremental and subject to opposition despite an increased tempo of such incidents. Given such entrenched aversion to gun control reform, response to the attack may best be served by a focus on wider societal and political drivers behind the increasing threat of domestic and global right wing extremism.

Want to take this report with you?

Subscribe to our mailing list below to unlock access to the PDF report.

Subscribe to our mailing list to unlock this content.
SI Risk Ltd collect data about individuals, usually within a business context. SI Risk Ltd treats all data which identifies an individual, or when combined with any other information which identifies an individual, as ‘Personal Data’.

As SI Risk Ltd is registered in the United Kingdom (UK), the decision has been taken to nominate the UK Information Commissioners Office (ICO) as their Lead Data Protection Supervisory Authority. As such, all practices will comply with guidance issued by the ICO.

Unless otherwise stated, SI Risk Ltd will be known as the Controller of any personal data which is provided to them by users. This means we control what happens to the data in our possession. We will treat user information with the same care and attention as SI Risk Ltd would expect their own personal data to be treated. This will include taking appropriate organisational and technical measures to protect your information while we are holding and processing it.

SI Risk Ltd collect personal data which may include (but is not limited to) name, physical address, email address, telephone number, age, IP address, organisation name, job title, dietary requirements, allergies, qualifications, interests, and other information which helps them provide their services. In some cases, this may include (but is not limited to) travel itinerary, as well as live and historical GPS tracking data.

SI Risk Ltd need to collect this personal data to provide users with Safety and Security Risk Management Services and uphold contracts agreed with entities which may include (but is not limited to) individuals, organisations, or other third parties. SI Risk Ltd will only collect personal data from users when required for the delivery of Safety and Security Risk Management Services and when there is a legal basis for doing so.

Data is processed by SI Risk Ltd and the client which is subscribing to the Safety and Security Risk Management Services provided by SI Risk Ltd. Data processing will take place in the UK, but also in the jurisdiction of the entity (which includes, but is not limited to, a partner, client, or user) which SI Risk Ltd is providing services to resides in. SI Risk Ltd will endeavour to provide details of the processing locations (where possible) at the point at which data is collected. This will not always be possible when delivering some services, such as live tracking, due to the nature of mobile data connections. Data may be processed via Asana, Dropbox, Microsoft Office 365, Lead Forensics, Google Analytics, and other similar platforms which may include the transmission of data into the United States of America (USA). Data may be shared with other entities if it is prerequisite for the delivery of Safety and Security Risk Management Services by SI Risk Ltd or for contractual agreements between which includes, but is not limited to, a partner, client, or user and the entity (which includes, but is not limited to, a partner, client, or user) to be upheld. This may include which include providing information to travel providers (e.g. airlines and hotels) and other service providers. It may not be possible to confirm these providers in advance of collecting data from the user, but SI Risk Ltd will endeavour to inform you of all data sharing that takes place.
Data processed directly by SI Risk Ltd is located on services in the UK and USA. Newsletter (and other mailing list data) is managed via third-party software (Zoho). In conjunction with this third-party software, SI Risk Ltd use analytics packages to track engagement with the information sent via email to entities which have voluntarily opted into receiving communications from SI Risk Ltd. This information may include (but is not limited to) the email address of the user and whether the user opened the communication sent from SI Risk Ltd.

Users are required to provide explicit consent that they would like to receive communications via email from SI Risk Ltd. If consent is provided by a user, we will continue to contact you for up to 10 years from the date you initially consented to receive communications from SI Risk Ltd (unless the user withdraws their consent at any time, at which point the user will cease to receive emails from SI Risk Ltd.

No other 3rd parties have access to a user’s personal data unless specifically agreed in advance of the data being collected by SI Risk Ltd, or in circumstances detailed in this Privacy Statement.

SI Risk Ltd have a Data Protection Regime in place which oversees the effective and secure processing of your personal data, which can be provided on request by contacting the Data Protection Officer.

All details provided to SI Risk Ltd will be held according to the legal and contractual requirements which SI Risk Ltd is subject to – which is detailed below.

- SI Risk’s public liability insurance requires that all the details of all events are maintained for a period of 3 years following an event or service provision provided by SI Risk Ltd.
- UK Revenue and Customs require that all payment information which is subject to VAT be kept for a period of at least 6 years following receipt of payment for services provided by SI Risk Ltd.

In accordance with this, all personal details of attendees for events and services provided by SI Risk Ltd will be retained by SI Risk Ltd for a period of 5 years following the end of our contract (unless otherwise indicated). This information may include (but is not limited to) the user’s name, physical address, email address, telephone number, age, IP address, organisation name, job title, dietary requirements, allergies, qualifications, interests, and other information which helps them provide their services. In some cases, this may include (but is not limited to) travel itinerary, as well as live and historical GPS tracking data.

In addition, billing information, which includes any personal data contained within invoices and accounting records, will be retained for a period of 6 years following the receipt of payment for services provided by SI Risk Ltd.

SI Risk Ltd endeavor to respond to all contact, including enquiries, in a timely and professional manner. Any contact which contains personal data will be retained for a period no more than 18 months from the date of receipt and response by SI Risk Ltd. This data is held by SI Risk Ltd under the legal basis of legitimate interest as it may be required to respond to future queries, both internally and externally, within this period.

No data retained by SI Risk Ltd will be used for any purpose other than that which is agreed at the time of contact between the user and SI Risk Ltd. This information will never be shared with third-parties without the user’s knowledge and will not be used to contact the user in future without the user’s express consent unless we believe it is relevant to your original enquiry.

If at any point a user believes that the information SI Risk Ltd possess is incorrect, or should the user wish to withdraw their consent, or exercise their statutory rights (which includes, but is not limited to, your right to erasure, right to access, right to rectification, and right to be informed) they can request to see this information, have it corrected, or have it deleted.

If a user wishes to raise a complaint on how SI Risk Ltd have handled their personal data, they can contact SI Risk Ltd’s Data Protection Officer, Nathan Monshin (, who will investigate the matter and take all necessary actions to address the complaint.

If the user is not fully satisfied with the response provided by SI Risk Ltd (or believe SI Risk Ltd are not processing data in accordance with the law) you can complain to the Information Commissioner’s Office (ICO) – which is the Lead Data Protection Supervisory Authority of SI Risk Ltd.

SI Risk Ltd will never request consent from, or market to, anybody under the age of 16.

SI Risk Ltd employ cookie technology to help log visitors to their website and facilitate the full and proper functionality of web services (such as but not limited to, logging in to secure areas and processing registrations). Cookies are pieces of data that are often created when someone visits a website, and which are stored in the cookie directory of a computer. Numerous cookies may be created when you visit a website controlled by SI Risk Ltd.

Up-to-date browsers give users the option to accept or decline cookies. This is a global setting that applies to every website a user visits. If a user does switch off cookies at a browser level, their device won't be able to accept cookies from any website. This means the user will struggle to access the secure area of any website they use and won't enjoy the best browsing experience when you are online. AboutCookies ( contains comprehensive information on how to disable cookies on a wide variety of browsers, details how to delete cookies from your computer as well, and more general information about them.

Cookies may be persistent, or session based. Persistent cookies are stored by a web browser and remain valid until the defined expiry date (unless deleted by the user before the expiry date). A session cookie will expire when a user ends their session (which occurs when the web browser is closed).

The type of cookies used on most websites, including those controlled by SI Risk Ltd, can be categorised in four ways (Strictly Necessary, Performance, Functionality and Targeting) according to the International Chamber of Commerce guide to cookie categories.

These cookies are essential, as they enable users to move around the website and use its features (such as accessing secure areas). Without these cookies, services you've asked for can't be provided. These cookies don’t gather information about you that is used for marketing or remembering where you've been on the internet.

These cookies collect information about how users use a website, including which pages you go to most often and if you get error messages from certain pages. These cookies don’t gather any information that identifies the user. All information these cookies collect is anonymous and is only used to improve how a website works. These cookies are not used to target users with online marketing. Without these cookies, SI Risk Ltd can’t learn how their website is performing and make relevant improvements that could better the user’s browsing experience.

These cookies allow a website to remember choices a user makes (such as user name, language, or the region you're in) and tailor the website to provide enhanced features and content for the user. For instance, a website may be able to provide a user with local weather reports or traffic news. These cookies can also be used to remember changes a user has made to text size, font, and other parts of pages that you can customise. They may also be used to provide services a user has asked for, such as watching a video or commenting on a blog. The information these cookies collect may be anonymous and they cannot track a user’s browsing activity on other websites. Without these cookies, a website cannot remember choices previously made by the user or personalise the user’s browsing experience.

These cookies are used to tailor marketing to a user and their interests. They are also used to limit the number of times a user sees an advertisement and help measure the effectiveness of advertising campaigns. They remember that a user has visited a website and this information may be shared with other organisations (such as advertisers). Although these cookies can track a user’s visits to other websites, they don’t usually know who a user is. Without these cookies, online advertisements encountered by a user will be less relevant to them and their interests.

When a user visits an SI Risk Ltd website, SI Risk Ltd collect web statistics concerning their visit which are stored in a log file. Log files allow SI Risk Ltd to record visitors’ use of the website, monitor site performance, and address any errors. The web teams use analytics to record visitors’ use of the site and use this information to make changes to the layout of the website and to the information provided on the website. Log files do not contain any personal information and they are not used to identify any individual patterns of use on the website.

This statement only covers websites and data maintained by SI Risk Ltd and does not cover other data or websites linked to, or associated with, SI Risk Ltd websites.

SI Risk Ltd may change its Privacy Statement to align with legislation and industry standards. They will not explicitly notify website users about these changes. SI Risk Ltd recommend that you check this statement on their website occasionally for any policy changes.

This version was last updated on 16 April 2019.
I agree with the Terms & Conditions