If the White House’s faux pax using Signal last week wasn’t enough of a wakeup call for the lax cybersecurity folks out there, we don’t know what is. Unless you’re off the grid, you’ve likely already been bombarded with news about The Atlantic’s journalist who was added to a government group chat and received confidential information about attack plans.

As more communications and transactions naturally move online, it’s critical to safeguard personal and sensitive data so it doesn’t wind up in malicious hands. Sensitive information can be gathered and exploited in infinite ways as cybercriminals develop more sophisticated tactics to leverage vulnerabilities in systems, devices, and networks. The lurking threats can put sensitive data at risk and even jeopardize national security.

Special Agent in Charge of the Air Force Office of Special Investigations (AFOSI) recently noted, “[f]ailure to implement cybersecurity requirements can have devastating consequences leaving sensitive DoD data vulnerable to cyber threats and malicious actors.” Cybersecurity vigilance is particularly vital in government contracting. When companies sign government contracts, they agree to comply with robust cybersecurity measures.

MORSECORP Inc. (MORSE), a defense contractor, failed to comply with the government’s mandatory cybersecurity measures and, as a result, it recently agreed to pay over $4.6 million to settle allegations that it violated the False Claims Act relating to its contracts with Departments of the Army and Air Force from 2018 to 2023.

MORSE’s violations took many shapes including its failure to create a consolidated written plan for its covered information systems. It also used a third-party vendor to host company emails without verifying that it met the security requirements of the Federal Risk and Authorization Management Program (FedRAMP), which is a government initiative that provides standardization to security assessment, authorization, and continuous monitoring for cloud product and services. Specifically, MORSE did not comply with FedRAMP Moderate, which refers to the security requirements for cloud services that handle moderate impact level data. In other words, sensitive, not classified data, the disclosure of which could cause “serious adverse effects to an agency’s operations, assets, or individuals.”

MORSE also failed to comply with the DoD’s requirements for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis and cyber incident damage assessment.

U.S. Attorney Leah B. Foley for the District of Massachusetts said: “We will continue to hold contractors to their commitments to follow cybersecurity standards to ensure that federal agencies and taxpayers get what they paid for, and make sure that contractors who follow the rules are not at a competitive disadvantage.”

Constantine Cannon whistleblower partner Alysia Solow explained, “Sensitive government information must be safeguarded against potential cyber threats. Ensuring federal contractors meet all requirements and fulfill their contractual obligations is crucial for both individual and national security.”

The settlement resolves a lawsuit filed under the qui tam, or whistleblower provisions of the False Claims Act, allowing private parties to sue on behalf of the government and receive a percentage of the recovery. In this case, the whistleblower will receive $851,000.

The DOJ takes cybersecurity violations seriously and continues to enforce its Cyber-Fraud Initiative from 2021 to target federal contractors that put sensitive information at risk through faulty cybersecurity products and practices.

Consequences of cybersecurity fraud can include shelling out millions in settlements, like MORSE. And the grave possibility of sensitive information getting taken and abused by bad actors.

The Role of Whistleblowers and Cybersecurity Fraud

Whistleblowers are fundamental to pointing out misconduct and sharing information about matters such as defrauding the government. This can include claims of fraud in federal government contracts and programs, failure to comply with cybersecurity requirements, concealing cybersecurity vulnerabilities, computer hacks, data breaches, and more.

Our Firm Helps Cybersecurity Fraud Whistleblowers

Constantine Cannon handles cases related to cybersecurity fraud. If you have details or questions regarding a possible case, please contact us to see how we can help.

 

Speak Confidentially With Our Whistleblower Attorneys

 

U.S. Department of Justice, Office of Public Affairs Press Release

Read Cybersecurity 101: What Can We Learn from the White House’s Signal Slip Up and MORSECORP’s $4M+ False Claims Act Settlement at constantinecannon.com