Aerojet Rocketdyne to Pay $9M Over Allegations of Cybersecurity Violations

Aerospace and defense giant Aerojet Rocketdyne has agreed to pay $9 million to settle accusations brought by a former employee regarding the company’s compliance with government cybersecurity requirements.

A lawsuit alleging violations of the False Claims Act was filed against Aerojet Rocketdyne in 2015 by former employee Brian Markus, who was hired by the company in 2014 as senior director of cybersecurity, compliance and controls.

According to the complaint, Markus had been promised a budget of $10-15 million and up to 35 employees to improve the company’s cyber defenses. Instead, he was only given a $3.8 million budget and less than ten employees.

Aerojet Rocketdyne makes various products for the aerospace and defense industries, including propulsion and weapons systems. Since the company is a major supplier for the United States government, including NASA and the Defense Department, it needs to comply with federal requirements and meet minimum cybersecurity standards to prevent unauthorized access to sensitive information.

Markus claimed in his complaint that the company not only failed to meet the minimum standards, but also misled the government.

Despite having its systems breached by state-sponsored threat actors in 2013 and 2014, Aerojet Rocketdyne failed to take proper action and attempted to conceal its non-compliance from both the government and its board of directors, the whistleblower alleged.

A cybersecurity audit conducted in 2014 showed that the company was less than 25% compliant. Markus later prepared a presentation to inform the board of Aerojet’s non-compliance, but then-president Warren Boley changed the presentation to hide the information from the board, the complaint alleged.

In April 2015, a cybersecurity assessment conducted by EY found — within four hours — that the company’s systems had been plagued by critical vulnerabilities that could be exploited to compromise systems and gain access to highly sensitive corporate and technical information.

Markus’ employment was terminated in September 2015, just a few months after he allegedly refused to sign documents falsely claiming that the space propulsion company had been in compliance with government cybersecurity requirements.

The Justice Department announced on Friday that Aerojet Rocketdyne has agreed to pay $9 million to resolve the False Claims Act allegations. Markus filed the lawsuit under the whistleblower provisions of the False Claims Act on behalf of the US government and he is entitled to part of the settlement. Specifically, he will receive $2.61 million.

Related: CEO Accused of Making Millions via Sale of Fake Cisco Devices

Related: Former Execs of Cybersecurity Firm GigaTrust Charged With Financial Fraud