A former IBM cybersecurity executive accused the company of being hacked by foreign governments three times in the previous decade and then covering up the breaches.
In the case opened this week however, William Barlow, who was IBM’s vice president of threat intelligence until August 2019, said in a 2020 filing that IBM concluded that Chinese hackers breached its core network between 2013 and 2016, but that the company later covered up the breaches and never disclosed them. Barlow also said at least two IBM subsidiaries were breached and IBM covered up those breaches as well.
Barlow alleged in his complaint that IBM’s core network was “routinely hacked by foreign state actors and others,” adding that data was often stolen and that government agencies were “never notified.”
Although the alleged breaches date back more than a decade, reports show that cyberattacks, even those affecting large public technology companies like IBM, are sometimes never disclosed to the public or relevant government authorities. IBM is a major cybersecurity supplier to the US federal government, making the alleged cover-up particularly significant. Several data breach notification laws have passed in recent years they passed to avoid this problem.
Bloomberg first reported on the lawsuit.
IBM spokeswoman Mickey Carver declined to answer specific questions about the lawsuit and the underlying allegations. Instead, Carver told TechCrunch, “This complaint was filed six years ago and the US Department of Justice declined to intervene. IBM is confident that our actions are within the letter of the law.”
Specifically, Barlow said IBM was among several victims of a hacking campaign carried out by APT 10, a group linked to the Chinese government.Who’s Who” when members of the global economy were indicted in 2018. Hackers breached both the company’s network and the data it stored there in collaboration with AT&T.
Barlow claimed that in March 2017, intelligence officials from Australia, Canada, New Zealand, the United States and the United Kingdom — the so-called “Five Eyes” alliance — alerted IBM to the breach, prompting an internal investigation.
According to the complaint, the investigation concluded that APT 10 potentially breached the IBM network more than 56,000 times between 2013 and 2016. Crucially, the company said it could not investigate further because it did not record who accessed its network and when. This is a basic safety practice.
After that, it is alleged that IBM did not notify any authorities or the US government, one of its main customers.
“Because the infrastructure of IBM and AT&T’s Core Networks is archaic, hackers were able to gain access to the system in many cases and roam almost anywhere without detection,” read the complaint, which explained that IBM’s internal investigation concluded that four servers were compromised in the APT 10 hacking campaign.
“The attackers compromised and/or accessed nearly 400 compromised accounts and almost 200 shared systems and servers across every IBM business unit, eighteen countries, and multiple IBM products,” according to the complaint, according to IBM’s internal breach investigation report.
Jason Brown, an attorney representing Barlow, told TechCrunch that his firm “looks forward to aggressively litigating this matter.”
“You can’t sell cybersecurity to the federal government by claiming that your company has these security issues,” Brown said.
According to Barlow, other breaches he is aware of include Trusteer, a cybersecurity startup that was acquired by IBM in 2013 and said it was breached in 2018; and Truven, a health data startup that IBM bought in 2016, which it says has been repeatedly disrupted since the acquisition.
In both cases, Barlow accused IBM of failing to properly investigate and disclose the breaches.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
