Georgia Tech Pays $875,000 to Settle Federal Cybersecurity Fraud Allegations

Georgia Tech and the Georgia Tech Research Corporation (GTRC) have agreed to pay $875,000 to resolve allegations that they falsified cybersecurity compliance scores submitted to the Department of Defense (DOD). The settlement concludes a three-year legal battle initiated by two Georgia Tech cybersecurity officials who filed a whistleblower lawsuit in 2021.

The lawsuit claimed Georgia Tech fabricated scores regarding its safeguards for federal research projects, violating the False Claims Act (FCA). According to the Department of Justice (DOJ), the institution failed to implement required cybersecurity measures for work performed for the Air Force and the Defense Advanced Research Projects Agency, rendering their claims for payment fraudulent.

While Georgia Tech and GTRC did not admit wrongdoing as part of the settlement, the case highlights growing federal scrutiny over cybersecurity compliance in research institutions. The university maintained throughout the proceedings that the contracts in question involved basic research exempt from certain cybersecurity protocols.

“From the outset, Georgia Tech denied the government’s allegations that mischaracterized our commitment to cybersecurity,” the institution said in a statement. “We worked hard to educate the government about the strong compliance efforts of our researchers and are pleased to avoid the distraction of litigation by resolving this matter without any admission of liability.”

The DOJ alleged that Georgia Tech failed to follow the National Institute of Standards and Technology Special Publication 800-171 guidelines and other defense federal acquisition regulations on contracts worth more than $30 million. Specifically, the government claimed that until December 2021, the university’s Astrolavos Lab, which conducted sensitive cyber-defense research, had failed to “install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks.”

The DOJ further alleged that “until at least February 2020, there was no system security plan in place” and that in December 2020, the organizations “submitted a false summary level cybersecurity assessment score to DOD.”

Under the settlement terms, half of the $875,000 payment ($437,500) constitutes restitution. Additionally, GTRC agreed to pay the two whistleblowers a total of $201,250, plus an undisclosed amount to their attorney, Julie Bracker.

The settlement amount is notably smaller than the $1.25 million that Pennsylvania State University paid last year in a similar case. Both cases were brought by Bracker’s law firm, which specializes in whistleblower litigation. According to Bracker, this is just the beginning of such enforcement actions.

“As the accelerating series of settlements in 2025 demonstrates, sealed cases under the cyberfraud initiative are still at the beginning phase of being made public,” Bracker told industry publication RRC. “Bracker & Marcus has more than a dozen cyber cases under seal, with another dozen being investigated, and of course other firms are also filing these matters—we are really still just at the beginning.”

This settlement is part of a broader enforcement trend under the Biden administration’s Civil Cyber-Fraud Initiative. In July, genome sequencing firm Illumina Inc. agreed to pay $9.8 million to resolve similar allegations. Earlier in May, Cleveland Clinic paid $7.6 million in a case involving both foreign research support and cybersecurity compliance issues.

The FCA gives the federal government authority to impose fines up to three times the amount it believes was obtained through fraudulent means. In its 99-page complaint against Georgia Tech, the DOJ noted that “between fiscal years 2019 and 2022, GTRC entered into more than $1.6 billion in government contracts, primarily with the federal government and specifically DOD.”

Unlike the Cleveland Clinic settlement, the Georgia Tech agreement did not require any corrective actions such as enhanced cybersecurity measures or additional training programs.

Research institutions with federal contracts should take note that defending against such accusations often proves more costly than settlement amounts. With Bracker’s firm alone pursuing “more than a dozen” similar cases, universities and research organizations facing federal cybersecurity requirements may face increased scrutiny and potential liability in the coming years.