Security Experts:

Connect with us

Hi, what are you looking for?



Aerojet Rocketdyne to Pay $9M Over Allegations of Cybersecurity Violations

Aerospace and defense giant Aerojet Rocketdyne has agreed to pay $9 million to settle accusations brought by a former employee regarding the company’s compliance with government cybersecurity requirements.

Aerospace and defense giant Aerojet Rocketdyne has agreed to pay $9 million to settle accusations brought by a former employee regarding the company’s compliance with government cybersecurity requirements.

A lawsuit alleging violations of the False Claims Act was filed against Aerojet Rocketdyne in 2015 by former employee Brian Markus, who was hired by the company in 2014 as senior director of cybersecurity, compliance and controls.

According to the complaint, Markus had been promised a budget of $10-15 million and up to 35 employees to improve the company’s cyber defenses. Instead, he was only given a $3.8 million budget and less than ten employees.

Aerojet Rocketdyne makes various products for the aerospace and defense industries, including propulsion and weapons systems. Since the company is a major supplier for the United States government, including NASA and the Defense Department, it needs to comply with federal requirements and meet minimum cybersecurity standards to prevent unauthorized access to sensitive information.

Markus claimed in his complaint that the company not only failed to meet the minimum standards, but also misled the government.

Despite having its systems breached by state-sponsored threat actors in 2013 and 2014, Aerojet Rocketdyne failed to take proper action and attempted to conceal its non-compliance from both the government and its board of directors, the whistleblower alleged.

A cybersecurity audit conducted in 2014 showed that the company was less than 25% compliant. Markus later prepared a presentation to inform the board of Aerojet’s non-compliance, but then-president Warren Boley changed the presentation to hide the information from the board, the complaint alleged.

In April 2015, a cybersecurity assessment conducted by EY found — within four hours — that the company’s systems had been plagued by critical vulnerabilities that could be exploited to compromise systems and gain access to highly sensitive corporate and technical information.

Markus’ employment was terminated in September 2015, just a few months after he allegedly refused to sign documents falsely claiming that the space propulsion company had been in compliance with government cybersecurity requirements.

The Justice Department announced on Friday that Aerojet Rocketdyne has agreed to pay $9 million to resolve the False Claims Act allegations. Markus filed the lawsuit under the whistleblower provisions of the False Claims Act on behalf of the US government and he is entitled to part of the settlement. Specifically, he will receive $2.61 million.

Related: CEO Accused of Making Millions via Sale of Fake Cisco Devices

Related: Former Execs of Cybersecurity Firm GigaTrust Charged With Financial Fraud

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...