Aerojet Rocketdyne Pays $9M to Settle Cybersecurity LawsuitCompany Accused of Misrepresenting Its Defenses to Federal Government
Aerojet Rocketdyne will pay $9 million to settle a lawsuit from a former executive who accused the U.S. rocket engine manufacturer of shirking its cybersecurity responsibilities even after it was hacked by nation-state threat actors.
U.S. District Judge William B. Shubb approved the settlement earlier this month, permitting plaintiff Brian Markus to walk away with a $2.6 million share after accusing the California company of misleading government clients over the strength of its network defenses. Markus served as a senior cybersecurity director at Aerojet Rocketdyne for approximately one year before leaving in 2015 and suing that year under the False Claims Act.
The company is not admitting guilt as part of the settlement.
Based in Sacramento, Aerojet Rocketdyne is principally a government contractor supplying military services, NASA and the Missile Defense Agency with rocket propulsion and power systems. Last year, it obtained nearly $2.2 billion in revenue. A spokesman said the company has no comment about the settlement or lawsuit.
Markus alleged his former employer concealed its poor state of security even as it reported nation-state-sponsored breaches of its systems in 2013 and 2014 to the Department of Defense. Among other charges, Markus said the company intimated it had installed certain security equipment that was still in its box and that the company exaggerated the reach of its defenses. In 2015, the company allegedly complied with a requirement to install magnetic card two-factor authentication only to uninstall the card readers after a few months.
The former executive also accused the company of retaliation by firing him after he filed an internal ethics report.
The lawsuit made it all the way to trial earlier this year, but the parties reached a settlement during the second day of proceedings.