Amtrak is just the latest company to see a breach in the security of its customers' personal data, but this time the threat came from within. According to an August 11 report from Amtrak's inspector general, Tom Howard, an unnamed employee of the train company sold passengers' confidential records to the Drug Enforcement Agency (DEA) over a period of 19 years, without the knowledge or approval of Amtrak officials. The data may have included a slew of personal details, including travelers' names, credit card numbers, passport numbers and dates of birth.
The report says that the DEA paid the worker, identified only as a secretary to a train and engine crew, $854,460 over two decades to act as an informant. Amtrak administrators say that when they discovered the breach, they filed internal charges against the employee. However, they allowed the worker to retire rather than face disciplinary measures.
Sen. Chuck Grassley, a Republican from Iowa, released a letter to the DEA on August 7 expressing concern over the news. He pointed out that the DEA could have obtained the information that the Amtrak employee provided for free if they had gone through the appropriate channels and worked with an existing drug enforcement task force. He also criticized the agency for failing to cooperate with the Amtrak Police Department (APD).
"In addition to the unnecessary expenditure of $850,000, DEA's actions reflect an unwillingness to cooperate jointly with the APD on investigations of narcotics trafficking on Amtrak property," Grassley wrote to DEA Administrator Michele Leonhart. "This undercuts the purpose of the joint drug enforcement task force and prevented the APD from coordinating and sharing information with the DEA."
The revelation also raises serious questions about the security of personal information that passengers regularly entrust to travel corporations that operate trains and airlines. Such companies routinely save passengers' names, credit card numbers, passport numbers and dates of birth. They also record customers' seat numbers, dates of travel, frequent traveler information, emergency contacts and gender, as well as the identities of their past traveling companions. All of that adds up to an enormous amount of data that criminals could use to steal consumers' identities, possibly even opening up credit cards and taking out loans in their names.
While data breaches that originate externally have become fairly common in recent months, it is unusual to hear that information was compromised due to an internal leak that was completely unauthorized by managers. Although, in this case, the organization purchasing the private information of customers was a government entity, there is no guarantee that identity thieves might not strike similar deals with corporate employees. In that sense, this story is yet another reminder to closely monitor your credit history in case your information falls into the wrong hands.
One way that you can help protect yourself from becoming a victim is to invest in a credit monitoring service. While such systems cannot guarantee protection from identity theft, they can alert you to certain activity that may indicate credit fraud. If you are made aware of such activity you can take proactive steps to thwart fraudsters and keep them from ruining your identity. Otherwise you might not realize that you have been targeted until it is too late to stop thieves in their tracks.
Amtrak's inspector general advised the corporation to actively address "control weaknesses." However, until companies exhibit an ability to better defend customers' private data against both internal and external threats, consumers must do everything that they can to protect themselves.