WASHINGTON — Amtrak employees have tried to sell “high-security keys” used to operate rail switches and other “critical sensitive infrastructure,” posing security risks to passengers and crews, according to the government-owned passenger rail system’s Office of Inspector General and court documents.
In a report released Wednesday, the OIG faulted the railroad’s lack of centralized guidance and security systems for the keys, saying it has “limited controls governing the distribution, management, tracking and retrieval of its high-security keys.”
“Senior officials in the Service Delivery and Operations department and Corporate Security acknowledge that they cannot account for the keys the company has issued, and that this broad public availability of high-security keys presents security and safety risks, potentially giving bad actors opportunities to disrupt train operations,” according to the report signed by the National Railroad Passenger Corp.’s assistant inspector general for audits, Jim Morrison.
Amtrak first came under investigation for its key-management protocol after a conductor in Sanford, Fla., and his wife were accused of trying to sell stolen keys on Facebook Marketplace. Although details of the case are redacted in the OIG report, state court documents match the report’s description of the incident, in which the conductor, Kenneth Jackson, is alleged to have stolen high-security keys, low-security railroad locks, an engine door key and a coach key in October 2021.
Investigators wrote in the initial report that the keys “could open rail switches that could cause a derailment of a passenger or freight train.”
Specifically, the stolen keys could be used to open switches on the Union Pacific Railroad, Norfolk Southern Railroad, Canadian Pacific Railroad and Amtrak in the Mideast and Northeast corridors, as well as open locks on cabinets used to store “long guns” on Amtrak passenger trains, according to state court documents.
Jackson was charged on Nov. 28 with failure to dispose of duplicate switch keys and dealing in stolen property. His arraignment is set for Jan. 3.
The report found that Amtrak does not meet industry standards for key security, which includes measures like making keys with unique identifiers and conducting periodic inventory reviews. Although some departments have taken up their own efforts to track the keys, Amtrak does not have a centralized mechanism for controlling the keys, investigators said.
The report adds that Amtrak began drafting a policy framework for high-security keys in 2019, but it had yet to authorize or distribute the policy as of September.
Can’t change locks
And it’s too late to try to get the stolen keys back, it adds. Amtrak told the OIG that it would be “futile” to count and collect all of the keys it has issued throughout the years and it would cost too much to try to change the locks across the company’s infrastructure.
“The company has some requirements related to its high-security keys, but it is unclear how rigorously it enforces them,” the report says. “One Material Control manager told us that employees do not turn them in when they transfer or leave the company, including when they are terminated.”
Amtrak has in the past fallen victim to company supplies disappearing and reappearing on the internet — a New Jersey employee was arrested in 2021 for stealing and reselling $76,000 worth of chainsaws and chainsaw parts from the company.
Some local transit systems have also succumbed to security breaches due to stolen keys. Chicago’s CTA service came under investigation in 2013 after two keys to train doors that can access the operations room were stolen.
But the Amtrak OIG report details one of the most widespread potential security threats to passenger rail due to stolen items.
OIG auditors noted in the report that Amtrak officials agreed that the company should adopt a centralized key management system, create a policy framework and implement stronger controls over its own keys, including tracking measures.
