Audit of the Massachusetts Bay Transportation Authority (MBTA)
April 23, 2020 · Massachusetts Bay Transportation Authority · Read the full official report on mass.gov ↗ · official site ↗
source
“The Massachusetts Bay Transportation Authority (MBTA) did not ensure that employee access identification (ID) cards were retrieved and destroyed and that security access was disabled promptly when employees left the agency.”
Read the plain-English breakdown
This is a state performance audit of the MBTA covering January 1, 2017 through March 15, 2019, with some security-access testing extending later into 2019.
“This report details the audit objectives, scope, methodology, finding, and recommendations for the audit period, January 1, 2017 through March 15, 2019.”
Auditors wanted to know whether the MBTA had enough physical security to keep unauthorized people out of vehicle maintenance and storage facilities.
“The objective of this audit was to determine whether the MBTA had sufficient physical security measures in place to prevent unauthorized access to its vehicle maintenance and storage facilities.”
These facilities hold and service MBTA vehicles, so weak security can put riders, workers, and public property at risk.
“Effective physical security controls at these facilities are essential to the MBTA’s ability to protect its customers and employees and to safeguard its most critical assets.”
If you ride the MBTA or pay taxes in Massachusetts, this matters because the audit is about protecting transit facilities, employees, passengers, and public resources.
“As a result, the facilities were vulnerable to unauthorized access, placing the security and safety of MBTA property, passengers, and employees at risk.”
The main problems were that access cards were not consistently recovered or destroyed, and former employees’ access was sometimes left active for long periods.
“The delays gave individuals continued access to MBTA facilities and properties for months and even years after separation.”
The auditor recommended that the MBTA immediately review access, create clear rules for handling departing employees, and monitor whether access is shut off promptly.
“The MBTA should perform an immediate review of the status of all employees and deactivate security access for those who no longer require access and/or are not authorized to have it.”
Auditors found real evidence that some former employees used MBTA facilities after leaving the agency, showing the weakness was not just theoretical.
“As a result of this issue and the issue discussed in Finding 1a, we found 85 instances (involving 35 individuals) where former MBTA employees physically accessed MBTA facilities after their effective termination dates.”
An employee access ID card is the MBTA badge workers use to prove they work there and, where card readers exist, to enter restricted areas.
“These cards confirm employees’ affiliation with the MBTA and are used by the MBTA to control access to restricted areas of facilities and buildings equipped with card readers.”
What the Auditor checked
- Did not comply Does the MBTA have physical security measures to prevent unauthorized access to its vehicle maintenance and storage facilities? Specifically, Are the security access privileges of separated employees promptly disabled?
- Did not comply Does the MBTA have physical security measures to prevent unauthorized access to its vehicle maintenance and storage facilities? Specifically, Are employee access identification (ID) cards retrieved and destroyed when employees leave the agency?
- Complied Does the MBTA have physical security measures to prevent unauthorized access to its vehicle maintenance and storage facilities? Specifically, As of July 1, 2019, was perimeter security fencing in proper working condition?
What the Auditor found
Why it matters: Former employees or unauthorized individuals could use MBTA access ID cards to enter secured areas, avoid screening, or receive free access, increasing security and criminal-risk exposure.
Standard: MBTA's Employment Separations policy and MBTA Employee Policy Manual require employees to return agency property, including employee IDs, upon separation. ( MBTA's Employment Separations policy )
3 recommendations
- The MBTA should perform an immediate review of the status of all employees and deactivate security access for those who no longer require access and/or are not authorized to have it.agency: already implemented
- The MBTA should develop and implement an authority-wide policy and detailed procedure for the processing of terminated employees.agency: agreed
- The MBTA should develop and implement monitoring controls to ensure that security access for separated employees is promptly disabled.agency: agreed
Agency response & Auditor reply
Agency: "The MBTA agrees with the recommendation and will assess the best means to expediently implement a solution."
Why it matters: Former employees retained unauthorized access to MBTA facilities and properties for months or years, creating risks to facilities, property, workers, passengers, and public safety.
Standard: National Institute of Standards and Technology Special Publication 800-53r4 recommends terminating or revoking credentials when employment ends.
3 recommendations
- The MBTA should perform an immediate review of the status of all employees and deactivate security access for those who no longer require access and/or are not authorized to have it.agency: already implemented
- The MBTA should develop and implement an authority-wide policy and detailed procedure for the processing of terminated employees.agency: agreed
- The MBTA should develop and implement monitoring controls to ensure that security access for separated employees is promptly disabled.agency: agreed
Agency response & Auditor reply
Agency: "Cardholder deactivations depend on timely flow of information between departments, which can vary due to a variety of factors."
Auditor: "Based on its response, the MBTA is taking appropriate measures to address our concerns."
Why it matters: Former employees received free transportation to which they were not entitled, resulting in at least $5,517 in estimated lost revenue.
Verified dollar findings
Identified dollar findings that do not fall in a named band.
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Bay Transportation Authority .
-
Massachusetts Bay Transportation Authority's Monitoring of the Operations of the South Station Ground LeaseTransit Authority · SEPTEMBER 30, 2010 -
Audit of the Massachusetts Bay Transportation Authority - Review of Contract Management ProcessTransit Authority · September 28, 2018 -
Massachusetts Bay Transportation Authority Controls over Parking-Lot RevenueTransit Authority · October 8, 2015 -
Audit of the Massachusetts Bay Transportation Authority - Keolis Contract (March 4, 2025)Transit Authority · March 4, 2025 -
Audit of the Massachusetts Bay Transportation Authority (March 10, 2025)Transit Authority · March 10, 2025 -
Massachusetts Bay Transportation Authority (MBTA) Station Modernization ActivitiesTransit Authority · June 16, 2014 -
Audit of the Massachusetts Bay Transportation Authority - Block by Block Contract(July 7, 2024)Transit Authority · July 7, 2024 -
Massachusetts Bay Transportation Authority's Commuter Rail OperationsTransit Authority · JANUARY 18, 2011 -
Audit of the Massachusetts Bay Transportation Authority - Automated Fare Collection System 2.0 Project (January 16, 2025)Transit Authority · January 16, 2025 -
Massachusetts Bay Transportation AuthorityTransit Authority · AUGUST 8, 2000