A former network administrator accuses IBM of covering up several data breaches

IBM’s former cybersecurity chief has accused the company of being hacked three times in the past decade by foreign governments and then covering up the breaches.

In a lawsuit unsealed this week but filed in 2020, William Barlow, who was IBM’s vice president of threat intelligence until August 2019, said IBM concluded that Chinese hackers breached its main network between 2013 and 2016 but the company then covered up the breach and did not disclose it. Barlow also said that at least two IBM subsidiaries were also breached, and that IBM has since closed those breaches.

Barlow alleged in his complaint that IBM’s main network was “frequently hacked by foreign actors and others,” adding that information was frequently stolen and government agencies were “not notified.”

Although the alleged breach dates back more than a decade, the news shows that cyber attacks, even those involving large public technology companies like IBM, are sometimes not disclosed, either to the public or to the relevant government authorities. IBM is the largest cybersecurity vendor to the US federal government, making the alleged cover-up all the more important. Over the past few years, several data breach notification laws have been passed to combat this problem.

Bloomberg first reported the case.

IBM spokesman Miki Carver declined to answer specific questions about the lawsuit and the underlying allegations. Instead, Carver told TechCrunch, “This complaint was filed six years ago, and the US Department of Justice declined to intervene. IBM is confident that our actions follow the law.”

Specifically, Barlow said IBM was among several victims of a hacking campaign by APT 10, a group linked to the Chinese government that then-FBI Director Christopher Wray said was targeting a ‘Who’s Who’ of the global economy when its members were indicted in 2018. Hackers broke into the company’s network and the data it stores there in collaboration with AT&T.

Barlow alleges that in March 2017, intelligence officials from Australia, Canada, New Zealand, the United States, and the United Kingdom – the so-called Five Eyes alliance – alerted IBM to the breach, prompting an internal investigation.

According to the complaint, the investigation concluded that APT 10 may have breached IBM’s network more than 56,000 times between 2013 and 2016. Most importantly, the company said it could not investigate further because it did not keep logs of who accessed its network and when – a basic security practice.

IBM then allegedly failed to notify any authorities or the US government, one of its biggest customers.

“Since the infrastructure of IBM and AT&T’s Core Networks is old, hackers were able to access the system multiple times and can roam anywhere without being detected,” read the complaint, explaining that IBM’s internal investigation concluded that four servers were vulnerable to the APT 10 hacking campaign.

“The attackers compromised and/or accessed approximately 400 compromised accounts and 200 systems and servers across IBM business units, eighteen countries, and multiple IBM products,” an internal IBM report on the breach investigation said, according to the complaint.

Jason Brown, an attorney representing Barlow, told TechCrunch that his firm “looks forward to taking this matter to court.”

“You can’t sell cybersecurity to the federal government when you say you have these security issues at your company,” Brown said.

According to Barlow, another breach he was aware of affected Trusteer, a cybersecurity startup acquired by IBM in 2013, which he said was breached in 2018; and Truven, a healthcare data startup IBM acquired in 2016, which it says was breached multiple times after the acquisition.

In both cases, Barlow accused IBM of failing to properly investigate and disclose the breach.