Elsevier editorial system hacked, reviews faked, 11 retractions follow

elsevierFor several months now, we’ve been reporting on variations on a theme: Authors submitting fake email addresses for potential peer reviewers, to ensure positive reviews. In August, for example, we broke the story of a Hyung-In Moon, who has now retracted 24 papers published by Informa because he managed to do his own peer review.

Now, Retraction Watch has learned that the Elsevier Editorial System (EES) was hacked sometime last month, leading to faked peer reviews and retractions — although the submitting authors don’t seem to have been at fault. As of now, eleven papers by authors in China, India, Iran, and Turkey have been retracted from three journals.

Here’s one of two identical notices that have just run in Optics & Laser Technology, for two unconnected papers:

This article has been retracted: please see Elsevier Policy on Article Withdrawal (http://www.elsevier.com/locate/withdrawalpolicy).

This article has been retracted at the request of the Editor-in-Chief.

A referee’s report on which the editorial decision was made was found to be falsified. The referee’s report was submitted under the name of an established scientist who was not aware of the paper or the report, via a fictitious EES account. Because of the submission of a fake, but well-written and positive referee’s report, the Editor was misled into accepting the paper based upon the positive advice of what he assumed was a well-known expert in the field. This represents a clear violation of the fundamentals of the peer-review process, our publishing policies, and publishing ethics standards. The authors of this paper have been offered the option to re-submit their paper for legitimate peer review.

Optics & Laser Technology has run eight such notices, which are identical to one that ran in the Journal of Mathematical Analysis and Applications in August, except that the JMAA did not say the authors had been offered the option of resubmitting.

It’s unclear who wrote the fake reviews. The corresponding authors of two Optics & Laser Technology papers told us they had no idea.

We learned a bit more about what happened, though, when we saw correspondence between editor Andrea Cusano and the corresponding author of one of the papers.

Cusano told the author in an email that Elsevier had security problems last month.

…we were able to identify some fake reviewers and deactivate them [from] the system…

The reviews by these fake reviewers, not surprisingly, were done incorrectly, and were not up to the journal’s standards of quality. But the authors, Cusano said, were “innocent victims of this hacking problem,” so the journal retracted the papers, and decided to allow them to resubmit the manuscripts for new peer review. Cusano wrote in the email that his team

will receive a very honest review process in less than one month form the initial submission date.

Elsevier opted for something called the consolidated profile to avoid the problem in the future, Cusano wrote. And Elsevier tells Retraction Watch that “measures have been taken to prevent this from happening again.”

It’s unclear what the EES hacker’s goals were. It seems odd to hack the system to write a “well-written and positive referee’s report.” So far, Elsevier said, it has not seen a direct connection between the fake reviewers and the authors.

Update, 2:10 p.m. Eastern, 12/11/11: A few people, on Twitter and in the comments, have questioned whether this was really hacking, or just email spoofing. We had the same question when we were reporting this post, so we let Elsevier know that we had a journal editor calling this “hacking.” They didn’t suggest any clarifications or corrections.

Update, 4:30 Eastern, 12/12/12: Elsevier’s Tom Reller has more details on this incident. From his post at Elsevier Connect (which is worth a read):

What happened here is that in late October, one of the editors of Optics & Laser Technology (JOLT) alerted our EES team that reviewers for two of his assigned submissions had been invited but not by him. Our team immediately launched an investigation and discovered that someone had been able to retrieve the EES username and password information for this editor.