Atlanta

2 men file lawsuit against GA Tech, accuse university of failing to protect sensitive information

ATLANTA, Ga. — It’s the United States of America vs. Georgia Tech after two whistleblowers took on the university.

They say that Tech failed to provide adequate security of sensitive government information, possibly even weapons information.

[DOWNLOAD: Free WSB-TV News app for alerts as news breaks]

Georgia Tech said it takes protection protocols very seriously in the interest of the U.S.

Channel 2 Investigative Reporter Sophia Choi spoke to the former and current employees, Christopher Craig and Kyle Koza, who said they tried to get the university to do the right thing, knowing the dangers of this kind of secret government information getting into the wrong hands.

2 Investigates:

Instead, Craig and Koza said they got reprimanded and demoted.

Koza, who is an information security engineer, said he and Craig, a cybersecurity expert, were hired to protect cyber security research and possibly weapons research as cyber security assessors for the university.

[SIGN UP: WSB-TV Daily Headlines Newsletter]

But they say Tech stopped them, lied to the government and put American lives in danger by not sticking to security protocols.

“It could be exposed to, you know, hostile nations,” Koza said.

“They are knowingly not doing it still telling the Department of Defense that they are doing it,” Craig said.

The whistleblowers said Georgia Tech gets money from the Department of Defense to do sensitive military research. But to get those lucrative government contracts, universities must agree to strict security protocols.

The university said it is “hyper-focused on cybersecurity and protecting sensitive data.”

But Koza and Craig said they witnessed Georgia Tech allowing major security lapses with one lab not even using two-factor authentication while allowing access to third-party vendors with no background checks.

“When we went to investigate, we found that they had contracts, both with vendors and with business partners, that allowed unnamed individuals from those companies to go into the lab,” Craig said.

When Koza and Craig tried to fix the security issues, they said Georgia Tech told them to back off and back down, and that otherwise, the university could lose the funding.

“I was removed from my management position in order to no longer have visibility into our noncompliance,” Craig said.

Koza said it was a way to cut him and Craig out of the process so they couldn’t raise issues anymore.

After 15 years at GA Tech, Koza quit.

“I just didn’t feel like I could work there and be ethical,” Koza said.

Koza and Craig filed a lawsuit in 2022. The Department of Justice saw such merit in it that they intervened and became the primary complainant in Feb. 2024.

The Whistleblowers said the fact that the government jumped in bolsters their claims.

“I presume that they care an enormous amount about it, because people could end up getting killed somewhere if this information gets breached,” Craig said.

Tech said there was no allegation that there was a breach of information, no data leaked and the data used in the research was neither classified nor controlled defense information.

Javed Ali spent 15 years working in intelligence and counter-terrorism with Homeland Security, the FBI and the National Security Council before teaching at the University of Michigan.

He said bad agents using secrets gained from Department of Defense projects at universities can easily target Americans.

“Build a weapons system, figure out how our systems work, come up with new defense,” Ali said. " So that’s the risk.”

Koza and Craig said they aren’t going away until Georgia Tech takes the security of its research, and of Americans, seriously.

“It’s about making sure that this stops happening,” Koza said.

The Justice Department has until Aug. 22 to file its own complaint against Tech. Koza and Craig will get a portion of the money if the university ends up having to pay the government.

0