I work at a research university. Unless the money was Government Funded Research with restrictions, or you sent an ITAR restricted file to China, then what did you do wrong?. If your research was sensitive or higher you would have been briefed by your Prof or a Designated Information Security Officer. You'd also know you made a mistake, as the training would have been thorough.
If another Prof in the department was doing ITAR or Secure research and the compliance officer nailed you for it, that should have been briefed to your PI, but not you.
Take this problem to your PI, and let him/her/it take it to the department head or similar position. Odds are your Research Dean or VP of Research needs to know about this as well.
Did you have them stuff the parts, program the chips, or send any supporting documentation on the project? (Yes/No)
Well above your paygrade. That and someone is an Idiot, Improperly Briefed, Control Freak or Newbie.
If you did not send restricted data, then how are your boards fruit of a poisonous tree?
Leave US Customs out of the discussion. They do not check EVERYTHING that comes in for compliance. They have target lists, and I'm pretty sure "custom pcb" is not one of them. There is a concept in justice called Mens Rea, versus Actus Reus. It is difficult but not impossible to violate the law if you had no intent of doing so.
If this person
seized or opened your package without your PI present and is a non-scientist, for a variety of reasons that needs to be addressed too. Especially if photosensitive, ESD sensitive, a chemical, flammable, oxidizer or acid, biohazard, fragile, frail, temperature sensitive, or hazmat. Make sure your PI understands that. My university has lost some expensive samples to that problem. We also have the periodic problem of "You can't do that, leading to expensive alternatives" A good research leadership team will take a few days and nip that in the bud.
I'd love to know if the rules have changed in the past year.... For the record I'm not a lawyer.
Steve