A former IBM cybersecurity executive accused IBM of being hacked three times by foreign governments in the past decade and then covering up the breaches.
William Barlow, who was IBM’s vice president of threat intelligence until August 2019, said in a lawsuit made public this week but filed in 2020 that IBM concluded that Chinese hackers had compromised its core network between 2013 and 2016, but that the company covered up the breach and never made it public. Barlow also said that at least two IBM subsidiaries were also breached, and that IBM also covered up those breaches.
Barlow alleged in the complaint that IBM’s core network was “regularly hacked by foreign actors and other actors,” adding that data was frequently stolen and government agencies were “never notified.”
More than a decade after the alleged breach, news reports show that even cyberattacks that affect large public technology companies like IBM are sometimes never disclosed to the public or relevant government authorities. IBM is a major cybersecurity vendor to the U.S. federal government, so the cover-up allegations are especially significant. Over the past few years, several data breach notification laws have been passed to address this issue.
Bloomberg first reported on this lawsuit.
IBM spokeswoman Miki Carver declined to answer specific questions about the lawsuit and the resulting accusations. Instead, Carver told TechCrunch, “This complaint was filed six years ago and the U.S. Department of Justice has declined to intervene. IBM is confident that our actions were within the letter of the law.”
In particular, Barlow said IBM was one of several victims of a hacking campaign conducted by APT 10, a Chinese government-linked group that then-FBI Director Christopher Wray said targeted “a who’s who” of the global economy when an IBM member was indicted in 2018. Hackers broke into both IBM’s network and data maintained jointly by AT&T.
Barlow claimed that intelligence officials from Australia, Canada, New Zealand, the United States and the United Kingdom (the so-called Five Eyes alliance) alerted IBM to the breach in March 2017, prompting an internal investigation.
According to the complaint, the investigation concluded that APT 10 potentially compromised IBM’s network more than 56,000 times from 2013 to 2016. Crucially, the company said it did not keep logs of who accessed its network and when, so it could not investigate further. This is a basic security practice.
Afterwards, it was reported that IBM did not notify the US government or authorities, one of its major customers.
Because IBM and AT&T’s core network infrastructure was outdated, hackers were able to access the systems multiple times and roam almost anywhere undetected. IBM’s internal investigation concluded that four servers were compromised in the APT 10 hacking campaign.
According to the complaint and an internal IBM investigation report, the attackers compromised and/or accessed approximately 400 compromised accounts and approximately 200 systems and servers across all IBM business units, 18 countries, and multiple IBM products.
Barlow’s attorney, Jason Brown, told TechCrunch that his company “expects aggressive litigation on this matter.”
“You can’t sell cybersecurity to the federal government while claiming you have these security issues within your company,” Brown said.
Another breach he was aware of affected Trusteer, a cybersecurity startup that IBM acquired in 2013, which he said was breached in 2018, according to Barlow. Truven, a health data startup acquired by IBM in 2016, said it suffered multiple breaches following the acquisition.
In both cases, Barlow accused IBM of failing to properly investigate and disclose these violations.
If you purchase through links in our articles, we may receive a small commission. This does not affect our editorial independence.
