Penn State Fined £1.25 Million for Cybersecurity Failures in Federal Contracts

Penn State University has been penalised £1.25 million for failing to meet cybersecurity requirements specified in its contracts with federal agencies, including the Department of Defense and NASA. The fine is linked to 15 contracts in which the university allegedly did not implement necessary cybersecurity controls from 2018 to 2023.

According to the Department of Justice (DOJ), Penn State acknowledged its cybersecurity deficiencies in assessment filings but subsequently misrepresented the timelines for corrective actions. Despite promises to rectify the issues, the university did not pursue effective plans to address these failures. Principal Deputy Assistant Attorney General Brian Boynton emphasised the obligation of universities receiving federal funding to uphold stringent cybersecurity standards, stating that the DOJ will hold institutions accountable for not protecting government information.

The settlement arose from a lawsuit filed under the whistleblower provisions of the False Claims Act, which permits individuals to act on behalf of the federal government in cases of false claims. Matthew Decker, the former chief information officer at Penn State’s Applied Research Laboratory, will receive £250,000 as a share of the settlement.

While the settlement allows Penn State to neither admit nor deny the allegations, a spokesperson noted that the university has since adopted new cybersecurity policies to meet future obligations. They also clarified that there is no indication that non-classified information involved in the case was compromised.

This incident is part of a broader initiative launched by Deputy Attorney General Lisa Monaco in 2021, aimed at addressing cybersecurity shortcomings among federal contractors and safeguarding sensitive government data.