Whistleblower lawsuit alleges Penn State falsified records, mishandled sensitive information

A whistleblower lawsuit made public Monday alleged Penn State has not adequately protected sensitive government information, potentially calling into question dozens of projects where the university has not complied with its contracts.

Allegations include intentionally falsifying government compliance reports and moving from an approved and secured cloud service to an unapproved commercial version of Microsoft Office 365.

The allegations were brought by Matthew Decker, who served as the chief information officer for Penn State’s Applied Research Laboratory as early as 2015. The lawsuit was filed in October.

A Penn State spokesperson did not respond Friday to a question that asked if Decker was still employed by the university. He is not listed in the university’s directory and his LinkedIn indicates he left the university in March.

“Sensitive government research and national security information is at the very least at risk,” Decker’s attorney Darth M. Newman wrote in the 24-page lawsuit.

The university’s Applied Research Laboratory was founded in 1945 at the request of the U.S. Navy and the Defense Department designated Penn State a University Affiliated Research Center. The Navy in 2018 awarded a 10-year contract worth as much as $2.1 billion to the ARL to conduct research and development to improve U.S. national security.

The university, which typically does not offer public statements about pending litigation, said it would “address these allegations at the appropriate time in the context of the litigation.”

“Penn State is dedicated to compliance and takes its compliance obligations, including, its cybersecurity obligations, under federal government contracts very seriously,” university spokesman Wyatt DuBois wrote in a statement. “The university has allocated significant resources to maintain compliance with these and other federal requirements. Penn State has worked and continues to work cooperatively and collaboratively with the government to address any questions.”

Contractors like Penn State are required to self-attest to compliance with 110 security requirements spelled out by the National Institute of Standards and Technology; there is no oversight, Newman wrote.

The self-reported scores must be submitted before a defense contract is renewed or awarded. At least 20 records submitted to the government were falsified, the lawsuit alleged.

Some of the submitted reports were template documents entered to merely “check the box,” the lawsuit alleged.

Decker’s lawsuit alleged more sensitive information was put at risk when the university migrated some of its data from certified cloud-storage service Box to Microsoft’s cloud-storage service OneDrive.

Penn State uses the commercial version of the product, which is not certified or compliant, the lawsuit alleged. The university, in an August 2020 statement, said it planned to stop using Box in part because of increasing costs.

“Penn State has, at best, inconsistently sprinkled in some small levels of cyber security best practices, but these half measures are not systemic,” Newman wrote. “... There is no chance that comprehensive protection or compliance can be truthfully attested.”

He added: “It seems there is virtually no chance that Penn State could respond effectively and quickly enough to maintain the contract if a sponsor should investigate the false attestations.”

The lawsuit is seeking, in part, to award the United States government triple the amount of compensatory damages for each alleged false claim and the maximum civil penalty for each false claim, record and statement. Decker is seeking litigation costs and proceeds from a potential settlement.

Federal Judge Paul S. Diamond unsealed the case Monday, finding the government presented no exigent circumstances to warrant keeping the lawsuit shielded from the public. Investigators have evaluated Decker’s allegations for more than seven months.

The Justice Department must notify a federal judge by Sept. 29 if it plans to intervene.

CDT reporter Josh Moyer contributed to this report