A former IBM cybersecurity executive has accused the company of being hacked multiple times by foreign governments over the past decade and then covering up the incidents.
In a lawsuit unsealed this week but originally filed in 2020, William Barlow, who served as IBM’s vice president of threat intelligence until August 2019, claimed that IBM determined Chinese hackers had breached its core network between 2013 and 2016. He alleged that the company then covered up the breaches and did not disclose them.
Barlow also claimed that at least two IBM subsidiaries were breached and that those incidents were also not properly investigated or reported.
According to the complaint, IBM’s core network was “routinely hacked by foreign state actors and others,” with data frequently stolen while government agencies were allegedly never informed.
Although the alleged breaches happened more than a decade ago, the case highlights how cyberattacks affecting major public technology companies may sometimes remain undisclosed to the public or to relevant authorities. IBM is also a major cybersecurity vendor for the U.S. federal government, making the allegations especially serious.
Bloomberg first reported on the lawsuit.
IBM spokesperson Miki Carver declined to answer detailed questions about the lawsuit and the claims behind it. In a statement to TechCrunch, Carver said the complaint was filed six years ago and that the U.S. Department of Justice declined to intervene. IBM said it is confident that its actions followed the law.
Barlow claimed IBM was among the victims of a hacking campaign carried out by APT 10, a Chinese government-linked hacking group. The group was described by then-FBI Director Christopher Wray in 2018 as having targeted a major cross-section of the global economy.
According to the lawsuit, the hackers accessed IBM’s network and data maintained there in partnership with AT&T.
Barlow alleged that in March 2017, intelligence officials from Australia, Canada, New Zealand, the United States, and the United Kingdom warned IBM about the breach. That warning reportedly triggered an internal investigation.
The complaint claims the investigation found that APT 10 may have breached IBM’s network more than 56,000 times between 2013 and 2016. It also alleged that IBM could not investigate further because it had not kept proper access logs showing who entered the network and when.
According to the lawsuit, IBM then failed to notify authorities or the U.S. government, one of its major customers.
The complaint also cited an internal IBM report saying attackers had compromised or accessed nearly 400 accounts and almost 200 systems and servers across every IBM business unit, 18 countries, and several IBM products.
Jason Brown, a lawyer representing Barlow, told TechCrunch that his firm is looking forward to aggressively litigating the matter.
“You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company,” Brown said.
Barlow also alleged that other breaches affected Trusteer, a cybersecurity startup IBM acquired in 2013, and Truven, a healthcare data company IBM acquired in 2016. He claimed Trusteer was breached in 2018 and that Truven was breached several times after IBM acquired it.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
In both cases, Barlow accused IBM of failing to properly investigate and disclose the breaches.
