Elsevier editorial system hacked, reviews faked, 11 retractions follow

elsevierFor several months now, we’ve been reporting on variations on a theme: Authors submitting fake email addresses for potential peer reviewers, to ensure positive reviews. In August, for example, we broke the story of a Hyung-In Moon, who has now retracted 24 papers published by Informa because he managed to do his own peer review.

Now, Retraction Watch has learned that the Elsevier Editorial System (EES) was hacked sometime last month, leading to faked peer reviews and retractions — although the submitting authors don’t seem to have been at fault. As of now, eleven papers by authors in China, India, Iran, and Turkey have been retracted from three journals.

Here’s one of two identical notices that have just run in Optics & Laser Technology, for two unconnected papers:

This article has been retracted: please see Elsevier Policy on Article Withdrawal (http://www.elsevier.com/locate/withdrawalpolicy).

This article has been retracted at the request of the Editor-in-Chief.

A referee’s report on which the editorial decision was made was found to be falsified. The referee’s report was submitted under the name of an established scientist who was not aware of the paper or the report, via a fictitious EES account. Because of the submission of a fake, but well-written and positive referee’s report, the Editor was misled into accepting the paper based upon the positive advice of what he assumed was a well-known expert in the field. This represents a clear violation of the fundamentals of the peer-review process, our publishing policies, and publishing ethics standards. The authors of this paper have been offered the option to re-submit their paper for legitimate peer review.

Optics & Laser Technology has run eight such notices, which are identical to one that ran in the Journal of Mathematical Analysis and Applications in August, except that the JMAA did not say the authors had been offered the option of resubmitting.

It’s unclear who wrote the fake reviews. The corresponding authors of two Optics & Laser Technology papers told us they had no idea.

We learned a bit more about what happened, though, when we saw correspondence between editor Andrea Cusano and the corresponding author of one of the papers.

Cusano told the author in an email that Elsevier had security problems last month.

…we were able to identify some fake reviewers and deactivate them [from] the system…

The reviews by these fake reviewers, not surprisingly, were done incorrectly, and were not up to the journal’s standards of quality. But the authors, Cusano said, were “innocent victims of this hacking problem,” so the journal retracted the papers, and decided to allow them to resubmit the manuscripts for new peer review. Cusano wrote in the email that his team

will receive a very honest review process in less than one month form the initial submission date.

Elsevier opted for something called the consolidated profile to avoid the problem in the future, Cusano wrote. And Elsevier tells Retraction Watch that “measures have been taken to prevent this from happening again.”

It’s unclear what the EES hacker’s goals were. It seems odd to hack the system to write a “well-written and positive referee’s report.” So far, Elsevier said, it has not seen a direct connection between the fake reviewers and the authors.

Update, 2:10 p.m. Eastern, 12/11/11: A few people, on Twitter and in the comments, have questioned whether this was really hacking, or just email spoofing. We had the same question when we were reporting this post, so we let Elsevier know that we had a journal editor calling this “hacking.” They didn’t suggest any clarifications or corrections.

Update, 4:30 Eastern, 12/12/12: Elsevier’s Tom Reller has more details on this incident. From his post at Elsevier Connect (which is worth a read):

What happened here is that in late October, one of the editors of Optics & Laser Technology (JOLT) alerted our EES team that reviewers for two of his assigned submissions had been invited but not by him. Our team immediately launched an investigation and discovered that someone had been able to retrieve the EES username and password information for this editor.

31 thoughts on “Elsevier editorial system hacked, reviews faked, 11 retractions follow”

  1. perhaps the hacking reviewer was aiming to make a name, so he could then start to review his own papers, or even sell reviews for a fee?

    1. Seems likely, in which case I think this would be technically “spoofing” rather than “hacking.” In any case, assuming Elsevier is correct that there’s no connection between the intruder and the submitting authors (cui bono?), one possible motivation we can speculate about would be to achieve access to unpublished manuscripts in one’s field. It would be pretty straightforward to tune one’s reviewer profile in a way that would (when coupled with a known name) tend to direct papers on a particular topic your way; this could be a competitive leg up, or even a source of unpublished datasets and figures that you could promptly reformat and submit somewhere else as your own work. (Although, in that case, the strategy would seem to be to submit negative reviews). Unless it’s just somebody seeing what they could get away with, it seems likely that there’s some fairly serious skullduggery of one sort or another going on.

      Interesting.

      1. Interesting indeed. So many possibilities, as mentioned.
        1) Give a favorable review to your own paper.
        2) Give a favorable review to your friend’s paper.
        3) Give a favorable review for a price to any paper if the author has the money.
        4) Get an early look at your competitor’s results.
        5) Get your hands on some data sets and photos for possible use elsewhere.

        I don’t think negative reviews would be needed. There are plenty of obscure journals where plagiarized sentences and stolen data/photos could be submitted without fear, even if the original is published. Positive reviews are more likely to avoid scrutiny, and even to make the reviewer look decent and supportive and generally the opposite of a bitter and pinch-mouthed person who wants to close the door behind him/herself now that s/he has managed to get in. Who would suspect a decent and supportive reviewer of having ulterior motives? It’s the perfect disguise.

      1. Elsevier didn’t say they were sure. As we reported, “So far, Elsevier said, it has not seen a direct connection between the fake reviewers and the authors.”

  2. I don’t get it. In my experience with EES, you–as the editor–contact potential reviewers. I don’t see how someone could submit an unsolicited review through EES. Or was the invitation sent to the fake account?

      1. I thought that with the earlier cases, the author had recommended himself as a reviewer using fake email addressed. I’m guessing that what happened next is that the editor registered this “reviewer” in EES and then sent him a request to review. Unless I’m wrong, only editors can register reviewers.

        As to you second point, in fact EES recommends you also include gmail (and the like) accounts when you register reviewers. This a way to circumvent spam filters to which review requests might otherwise fall victim. Nevertheless, I agree with you and only use university email addresses for reviewers.

      2. I think it would be harder to fake, too, but also harder to get reviewers: I myself have changed e-mail address five times in the last twelve years, of which four times at the same (current) employer. I’m not constantly updating my contact address for all those journals that have me in their database (often because I don’t even know). And all that reviewing capacity in the industry…!

  3. Simpler than university addresses would be to have only addresses that were already used to submit a paper. This could be achieved via a system similar to ORCID…

  4. If the submitting authors truly were not connected to the incident (apart from their submission), this then presents a serious problem for the authors in terms of considerable wasted time and effort. This is professional time that now has to be duplicated, meaning a loss of time dedicated to other projects. It is time that the authors ‘ institutions have paid for. If Elsevier really wanted to take responsibility for the insecure nature of their system (which seems glaringly obvious), perhaps they should offer to “buy out” the authors’ time, providing them, therefore, with something akin to a sabbatical to get all of this work redone. If it’s Elsevier’s security error, Elsevier should rectify it properly, and restore confidence in their system.

    1. Duplicated sounds a bit exaggerated to me – presumably they can just send the exact same manuscript that was accepted? So that part does not have to be redone. Only the further revisions may require any significant further effort.
      There is of course the waiting time that will be annoying, plus the chance that upon “real” review the paper may now not be acceptable.

  5. This episode raises another issue: editors apparently don’t read the papers and form any opinion of their own, and they don’t read the reviewers’ comments either, but just look at how famous the reviewer is, and what their final recommendation is.

    1. The facts at hand do not justify your conclusion. If an editor receives a well-written, positive review, and the paper is accepted, that does not mean that the editor has not read the paper nor that the editor has ignored the content of the review. In fact, it would be quite odd to reject a paper that got positive reviews, no matter what the prominence of the reviewer. The story does not indicate that there was anything obviously wrong with the papers in question.

      1. OK, I was generalizing – I haven’t read the reviewers’ comments or the editors’ letters for any of these papers. The Editor-in-Chief said ” … the Editor was misled into accepting the paper based upon the positive advice of what he assumed was a well-known expert in the field,” from which I inferred (possibly incorrectly) that had the expert not been well-known, the Editor might have had doubts. I just feel that too little attention is paid to the actual scientific content of the paper. Along similar lines, why do journals ask for cover letters – is that so the editors have even less reason to read the paper?

      2. Editors ask for cover letters for a number of reasons. One is that you typically ask for reviewers before actually reading the paper. Otherwise, the editor would be a significant bottleneck. The cover letter gives you an idea of what the paper is about so you can know who to ask for reviews. Also, authors can use the cover letter to request certain reviewers or to request that certain people not review the paper. This is helpful. Remember that in most cases, the editor is not an expert in the particular sub-field of the manuscript, so it’s useful to have suggestions, and also useful to know about academic feuds you don’t want to get into. Of course, if you only sent the paper to the author’s preferred reviewers, that would be problematic (though preferred reviewers are no guarantee of a positive review, in my experience!), but it’s good to have a place to start.

        Again, while the editor does have an obligation to use her own judgement about the quality of a manuscript, you ask for reviewers precisely because they have more expertise, so it would be foolish to ignore them.

  6. The story is not clear, at least for me, probably because I’m far to understand the technical details about why hacking is not spoofing and vice versa. However, I note that the story emerges because eleven papers were retracted by Elsevier, and that nothing is detailed regarding the papers which were NOT retracted… I mean: if a submission is rejected on the basis of a negative faked review, its final status in the journal to which it was submitted is “unretractable ad infinitum”. In such a case, nobody (authors, editors, readers) will be aware of the bias in the review, because there is nothing to retract. In the worst case, a massive hacking of the peer-review process could allow all “bad” articles to be published, while all “good” ones to be rejected. A complete nightmare for the journal.

  7. By far the biggest security loop-hole propagated by Elsevier and EES, is they always send out login IDs and passwords in the same email! No joke – if you get asked to review a paper by EES, the request will list your ID and password in plain text format right there in the email. No encryption, no 2-stage authentication.

    With such a lax attitude to security, the only surprising thing is this didn’t happen before. The fact that Elsevier did not immediately publicize that they got hacked, and request everyone to change their passwords, speaks volumes about their lack of cyber-security smarts.

    1. Our system does this too. I am not comfortable with it as I have seen a few review request emails forwarded along with this information. That said, when we stopped providing this information, the editorial office was FLOODED with username and password requests. Seeing as we have 4 editorial coordinators for 33 journals, this was a problem and now we send out user and password.

  8. Reblogged this on In the Dark and commented:
    Have you heard all the stories about that carefully-managed system of peer review that justifies the exorbitant cost of Elsevier journals? Then read this…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.