Pennsylvania State University (Penn State) has agreed to a $1,250,000 settlement over allegations of False Claims Act violations related to non-compliance with federal cybersecurity requirements, as announced by U.S. Attorney Jacqueline C. Romero. The claim suggests that, from 2018 to 2023, the university failed to implement the cybersecurity measures required by defense and space agency contracts, according to a statement released yesterday by the U.S. Attorney's Office for the Eastern District of Pennsylvania.
Amidst this development, allegations pinpointed Penn State for not developing action plans to address cybersecurity weaknesses, misleading Department of Defense (DoD) about timelines for implementing controls and failing to use compliant external cloud services, while storing or accessing sensitive defence data which is a serious obligation, the university purportedly misrepresented dates for implementing corrective measures, and plans to meet these obligations were not pursued, which is a breach of trust and could've compromised sensitive information, according to information from the U.S. Attorney's Office for the Eastern District of Pennsylvania.
"When they fail to meet their cybersecurity obligations, we and our law enforcement partners will use every available tool to remedy the situation," U.S. Attorney Romero stated to the Department of Justice, emphasizing the federal commitment to cybersecurity enforcement. "Federal contractors who store or access covered defense information must take required steps to protect that sensitive information from bad actors."
The investigation involved resources from various agencies, including the Naval Criminal Investigative Service (NCIS) Economic Crimes Field Office, the Department of Defense Office of Inspector General, and NASA's Office of Inspector General. Special Agent in Charge Greg Gross of NCIS stated to the Department of Justice, "As our cyber adversaries become increasingly sophisticated, the importance of cybersecurity in safeguarding Department of Defense research, development and acquisitions information cannot be overstated," highlighting the stakes and the collective resolve among agencies to protect national interests from cyber threats.
Special Agent in Charge Patrick J. Hegarty of the Defense Criminal Investigative Service (DCIS) underscored the seriousness of the claims, asserting that safeguarding DoD procurement activities is a paramount concern—failure to adhere to contractual stipulations endangers both information and programs. Additionally, Assistant Inspector General for Investigations Robert Steinau of NASA pointed out that the university's inability to address known deficiencies compromised government cybersecurity efforts. The lawsuit, *U.S. ex rel. Decker v. Pennsylvania State University*, was filed under whistleblower provisions, granting the whistleblower, former Penn State Chief Information Officer Matthew Decker, a $250,000 share of the settlement.
This matter was handled on the prosecutorial side by Assistant U.S. Attorneys Rebecca S. Melley and Peter Carr, along with Auditor Dawn Wiggins. Brought to light by the Department's Civil Cyber-Fraud Initiative, announced in 2021, this case reinforces the government's stance on cyber fraud and holds implicated parties accountable, while emphasizing the cooperative effort of federal agencies to uphold cybersecurity standards and protect the integrity of sensitive data.
