A former cyber executive turned whistleblower accuses IBM of covering up several data breaches

A former IBM cybersecurity executive has accused the company of being hacked three times in the past decade by foreign governments and then covering up the breaches.

In a lawsuit Unsealed this week But William Barlow, who was IBM’s vice president of threat intelligence until August 2019, filed in 2020 that IBM concluded that Chinese hackers penetrated its core network between 2013 and 2016, but the company then covered up the breaches and never disclosed them. Barlow also said that at least two IBM subsidiaries were also hacked, and that IBM covered up those breaches as well.

Barlow alleged in his complaint that IBM’s core network was “routinely compromised by foreign state actors and others,” adding that data was often stolen and government agencies were “never notified.”

Although the alleged breaches go back more than a decade, news shows that cyberattacks, even those affecting large public technology companies like IBM, are sometimes never disclosed, either to the public or to relevant government authorities. IBM is a major cybersecurity supplier to the US federal government, making the alleged cover-up particularly significant. In the past few years, several data breach reporting laws have emerged It has been passed To confront this problem.

Bloomberg It was first mentioned in the lawsuit.

IBM spokesman Mickey Carver declined to answer specific questions about the lawsuit and the underlying charges. Instead, Carver told TechCrunch, “This complaint was filed six years ago, and the US Department of Justice has refused to intervene. IBM is confident that our actions followed the letter of the law.”

In particular, Barlow said that IBM was among several victims of a hacking campaign carried out by APT 10, a group linked to the Chinese government that then-FBI Director Christopher Wray said targeted “Who is he” of the global economy when its members were indicted in 2018. Hackers broke into both the company’s network and the data it kept there in partnership with AT&T.

Barlow claimed that in March 2017, intelligence officials from Australia, Canada, New Zealand, the United States and the United Kingdom — the so-called Five Eyes alliance — warned IBM about the hack, triggering an internal investigation.

According to the complaint, the investigation concluded that APT 10 had hacked into the IBM network more than 56,000 times between 2013 and 2016. More importantly, the company said it could not investigate further because it did not keep logs about who accessed its network and when — a basic security practice.

IBM then allegedly failed to alert any authorities or the US government, one of its major clients.

“Because IBM and AT&T’s core network infrastructure is outdated, hackers have gained access to the system on numerous occasions and can roam almost anywhere without being detected,” said the complaint, which explained that IBM’s internal investigation concluded that four servers were compromised in the APT 10 hacking campaign.

“Attackers compromised and/or accessed approximately 400 compromised accounts and approximately 200 total systems and servers across every IBM business unit, eighteen countries, and multiple IBM products,” an IBM internal report on the breach investigation said.

Jason Brown, an attorney representing Barlow, told TechCrunch that his firm “looks forward to aggressively litigating this matter.”

“You can’t sell cybersecurity to the federal government when you allegedly have these security issues within your own company,” Brown said.

According to Barlow, other breaches he was aware of affected Trusteer, a cybersecurity startup acquired by IBM in 2013, which he says was hacked in 2018; And Truven, a healthcare data startup acquired by IBM in 2016, which he says was hacked multiple times after the acquisition.

In both cases, Barlow accused IBM of failing to properly investigate and disclose these violations.