Faking peer reviews
Someone found a way to infiltrate the Elsevier Editorial System; here’s what happened and what we’ve done
Yesterday, Ivan Oransky of Retraction Watch reported that Elsevier Editorial System (EES), our online platform for managing the submission and peer-review process, had been hacked in November. His article, “Elsevier editorial system hacked, reviews faked, 11 retractions follow,” is an accurate account of what happened and a good example of the positive role Retraction Watch can play in monitoring the scientific literature. The Retraction Notices posted by the Elsevier journals themselves provided details about the falsified reports:
A referee’s report on which the editorial decision was made was found to be falsified. The referee’s report was submitted under the name of an established scientist who was not aware of the paper or the report, via a fictitious EES account. Because of the submission of a fake, but well-written and positive referee’s report, the Editor was misled into accepting the paper based upon the positive advice of what he assumed was a well-known expert in the field. This represents a clear violation of the fundamentals of the peer-review process, our publishing policies, and publishing ethics standards. The authors of this paper have been offered the option to re-submit their paper for legitimate peer review.
What happened here is that in late October, one of the editors of Optics & Laser Technology (JOLT) alerted our EES team that reviewers for two of his assigned submissions had been invited but not by him. Our team immediately launched an investigation and discovered that someone had been able to retrieve the EES username and password information for this editor.
Fake reviews are becoming an increasingly challenging issue for publishers, but one we’re prepared to confront. We participated in a story in The Chronicle of Higher Education back in September, also stemming from someone creating fake reviewer accounts. In that case, the editors noticed the reviews were coming in from emails with generic email contacts (i.e., yahoo or gmail) and not institutional emails. Here, it was clear the author himself had created the fake reviewer accounts.
What is Elsevier doing to protect EES users?
We regularly conduct an audit of EES tools and processes to determine where improvements can be made. The major recommendations from the most recent audit prompted a security change that was introduced: User Profile Consolidation. Consolidated profiles in EES are protected from the malicious use that occurred in this scenario because the registered user has total control over the personal information in the user profile. More information about the benefits of User Profile Consolidation can be found on this Profile Consolidation FAQ.
In July, we ran a pilot to make user profile consolidation in EES available to almost 1,000 “very active” users. The first pilot was successful, with 90 percent of these pilot users consolidating approximately 4,000 entitlements. Pilot users were surveyed for feedback on the process, including level of effort, provision of help and support. This pilot ran for 10 weeks, and the process itself, the supporting documentation and the communication was improved prior to introducing a second pilot on October 10. This second pilot introduced user profile consolidation for 16,500 additional users and has also proven to be very successful.
After the successful pilots, user profile consolidation became available to all users on December 3. Elsevier encourages all EES users to complete this process as soon as possible; we’ve already seen more than100,000 unique users consolidate their accounts. In the coming weeks, we will proactively support larger numbers of frequent users through this process as necessary.
In addition to User Profile Consolidation, we have implemented other changes that were recommended by Elsevier’s internal Security and Data Protection team, not all of which would be wise for us to discuss publicly. It has also been suggested that the new ORCID program also has the potential to reduce this type of fraud.
The challenge for us is not so different from that of other companies, and that’s finding the right balance between security control and customer ease of use. One result of this is that editors may have to do more to keep their accounts safe — much like people have to do more to access their online bank accounts —though clearly, there are differences here. Another important aspect of fraud detection in academic publishing is that no matter how strong we make protocols and controls, there is always going to be a human element – a role for editors and publishers to flag when something looks out of line.
Scientific fraud and misconduct is a growing concern in the scientific community and is something Elsevier contributes a significant amount of resources to confront. That includes an information security team that is acutely aware of the risks and vulnerabilities of any online system. The reality today is that hacking and spoofing can and will occur, though here we believe we acted quickly, the impact is minimal and that we have taken the necessary steps to eliminate the threat posed, at least through this method.
We’ll be paying close attention to the discussion surrounding this incident and will try to address any questions that arise.
As VP of Global Corporate Relations at Elsevier, Tom Reller (@TomReller) is the primary media spokesman for Elsevier, responsible for the company’s relationships with media, analysts and other online communities.