A former IBM cybersecurity executive has accused the company of being hacked three times in the past decade by foreign governments and then covering up the breaches.
In a lawsuit unsealed this week but filed in 2020, William Barlow, who was IBM’s vice president of threat intelligence until August 2019, said that IBM concluded that Chinese hackers breached its main network between 2013 and 2016, but that the company covered up the breaches and never disclosed them. Barlow also said that at least two IBM subsidiaries were breached and that IBM covered up those breaches as well.
Barlow alleged in his complaint that IBM’s core network was “systematically compromised by foreign government actors and others,” adding that data was frequently stolen and government agencies were “never notified.”
While the alleged breaches date back more than a decade, news reports show that cyberattacks, even those affecting large public technology companies like IBM, are sometimes never disclosed, either to the public or to relevant government authorities. IBM is a major cybersecurity supplier to the US federal government, which makes the alleged cover-up particularly significant. In recent years, several data breach notification laws have been passed to address this problem.
Bloomberg first reported on the lawsuit.
IBM spokesman Miki Carver declined to answer specific questions about the lawsuit and the underlying charges. Instead, Carver told TechCrunch, “This complaint was filed six years ago and the US Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.”
Specifically, Barlow said that IBM was among several victims of a hacking campaign carried out by APT 10, a group linked to the Chinese government that then-FBI Director Christopher Wray said had targeted “Who’s Whoof the global economy when its members were indicted in 2018. Hackers broke into both the company’s network and the data it kept there in partnership with AT&T.
Barlow claimed that in March 2017, intelligence officials from Australia, Canada, New Zealand, the United States and the United Kingdom — the so-called Five Eyes alliance — alerted IBM to the breach, which led to an internal investigation.
According to the complaint, the investigation concluded that APT 10 potentially breached IBM’s network more than 56,000 times between 2013 and 2016. Crucially, the company said it could not investigate further because it had not kept logs of who accessed its network and when — a key security practice.
IBM then allegedly failed to notify any authorities or the US government, one of its main customers.
“Because the infrastructure of IBM and AT&T’s core networks is archaic, hackers were able to gain access to the system in many cases and can roam almost anywhere undetected,” read the complaint, which explained that IBM’s internal investigation concluded that four servers had been compromised in the APT 10 hacking campaign.
“The attackers compromised and/or accessed nearly 400 compromised accounts and nearly 200 total systems and servers across every IBM business unit, eighteen countries, and multiple IBM products,” an internal IBM report on the breach investigation said, according to the complaint.
Jason Brown, an attorney representing Barlow, told TechCrunch that his firm “looks forward to aggressively litigating the matter.”
“You can’t sell cybersecurity to the federal government while you allegedly have these security problems within your company,” Brown said.
According to Barlow, other breaches he was aware of affected Trusteer, a cybersecurity startup acquired by IBM in 2013, which he says was breached in 2018. and Truven, a healthcare data startup acquired by IBM in 2016, which he says was breached multiple times after the acquisition.
In both cases, Barlow accused IBM of failing to properly investigate and disclose these breaches.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
