Federal contractor to pay $9M to resolve cyber-related false claims case

Aerojet Rocketdyne, a jet propulsion company with Defense Department and NASA contracts, agreed to pay a $9 million settlement to conclude a lawsuit alleging the company lied to the federal government about its cybersecurity posture.

The settlement, announced last Friday, stems from a whistleblower lawsuit launched in 2017 via the False Claims Act. The original complaint alleged that Aerojet was the victim of state-sponsored hacking attempts, which the firm duly reported, but the company omitted mention that its targeted systems were not compliant with minimum cybersecurity hygiene standards required under its contracts with DOD and NASA. Additionally, the complaint alleged that company officials hid the results of an adverse cybersecurity audit from its own board and on other occasions demanded that outside auditors rewrite reports that were critical of Aerojet’s cybersecurity posture.

The complaint was brought by a former company chief information security officer Brian Markus, who was fired in 2015 after allegedly declining to sign security attestations. Markus will receive $2.61 million in the settlement. Aerojet did not admit any liability.

The Justice Department is taking an increased interest in the cybersecurity claims of vendors. Last year, the agency announced its Civil Cyber-Fraud initiative targeting “entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”