A former IBM cybersecurity executive accused the company of getting hacked three times in the previous decade by foreign governments and then covering up the breaches.
Key Takeaways
- Cover-Up Allegations: A lawsuit unsealed this week alleges that IBM, a major U.S. government cybersecurity vendor, was repeatedly breached by foreign state actors, including Chinese hackers, between 2013 and 2019, and systematically covered up these incidents without disclosing them to authorities or the public.
- Critical Security Lapses: The lawsuit claims IBM’s core network was “archaic” and lacked fundamental security practices, such as maintaining logs of network access, hindering proper investigation into major breaches and allowing attackers to roam undetected for years.
- Broader Implications for Trust: The accusations highlight a critical issue in the cybersecurity industry: the potential for major players to conceal significant breaches, undermining trust among clients, government partners, and the public, especially in an era of increasing data breach notification laws.
In a stunning development that has sent ripples through the cybersecurity industry, a former high-ranking IBM executive has leveled explosive accusations against the tech giant, claiming the company suffered multiple sophisticated hacks by foreign governments over a period of years and then deliberately concealed these breaches from authorities and the public. The allegations, detailed in a lawsuit originally filed in 2020 and unsealed this week, paint a troubling picture of potential corporate malfeasance at one of the world’s most prominent technology and cybersecurity providers.
William Barlow, who served as IBM’s vice president of threat intelligence until August 2019, is the whistleblower behind the suit. He alleges that IBM’s core network was “routinely hacked by foreign state actors and others,” leading to the theft of sensitive data, yet government agencies were “never notified.” This accusation carries particular weight given IBM’s extensive contracts as a cybersecurity vendor to the U.S. federal government, raising serious questions about the integrity of its own systems and its commitment to transparency.
The Whistleblower’s Claims: A Pattern of Concealment
Barlow’s lawsuit contends that the most significant breach involved Chinese government-linked hackers, specifically the notorious group known as APT 10. According to the complaint, APT 10 allegedly infiltrated IBM’s core network between 2013 and 2016, a period during which IBM purportedly discovered the intrusion but chose to cover it up, never making any public or governmental disclosures. This alleged lack of transparency extends beyond the core network, as Barlow also claims that at least two IBM subsidiaries were similarly breached, with those incidents also being swept under the rug.
The implications of these allegations are profound. While the alleged breaches date back several years, the news underscores a persistent and problematic issue: cyberattacks, even those impacting global enterprises like IBM, sometimes remain undisclosed, bypassing both public awareness and the scrutiny of relevant government authorities. This practice directly contradicts the spirit, and often the letter, of modern data breach notification laws that have been increasingly enacted globally to combat such concealment.
APT 10 Infiltration: A Deeper Dive into the Accusations
The complaint provides startling details about the alleged APT 10 breach. Barlow specifically states that IBM was among several victims of a widespread hacking campaign carried out by APT 10, a group that then-FBI Director Christopher Wray famously described as having targeted a “Who’s Who” of the global economy during their 2018 indictment. The hackers reportedly compromised not only IBM’s internal network but also data the company maintained in partnership with AT&T.
The alleged breach came to light internally in March 2017 when intelligence officials from the “Five Eyes” alliance—Australia, Canada, New Zealand, the United Kingdom, and the United States—reportedly warned IBM of the intrusion. This prompted an internal investigation, which, according to Barlow’s complaint, concluded that APT 10 had potentially breached IBM’s network an staggering 56,000 times between 2013 and 2016. What makes this finding particularly alarming is the subsequent revelation: IBM allegedly stated it could not investigate further because it had not maintained proper logs of who accessed its network and when—a fundamental security practice considered basic hygiene for any enterprise, let alone a leading cybersecurity vendor.
The internal IBM report cited in the complaint further elaborated on the scale of the compromise: “The attackers have compromised and/or accessed nearly 400 compromised accounts and almost 200 total systems and servers across every IBM business unit, eighteen countries, and multiple IBM products.” Despite the clear evidence of widespread infiltration, IBM then allegedly failed to alert any authorities or its significant client, the U.S. government.
The complaint goes on to critique IBM’s infrastructure, stating, “As IBM and AT&T’s Core Networks’ infrastructure is archaic, hackers have been able to gain access to the system on numerous occasions and can roam almost anywhere undetected.” This paints a picture of systemic vulnerabilities that allegedly allowed sophisticated state-sponsored actors to operate with impunity for years.
Subsidiary Breaches and Broader Concerns
Beyond the core network, Barlow’s lawsuit points to a pattern of alleged security failures and cover-ups involving IBM’s acquired entities. He specifically identified two instances: Trusteer, a cybersecurity startup acquired by IBM in 2013, which he claims was breached in 2018; and Truven, a healthcare data startup acquired in 2016, which Barlow alleges was breached multiple times after its acquisition. In both these cases, the former executive accuses IBM of failing to properly investigate and disclose these breaches, echoing the alleged behavior concerning the APT 10 incidents.
These allegations are particularly damaging because they touch upon the very essence of trust. When a company that sells cybersecurity solutions to governments and corporations is accused of such significant internal security lapses and subsequent cover-ups, it erodes confidence across the entire ecosystem. It begs the question of whether other breaches have gone undisclosed by various entities, highlighting the ongoing challenge of achieving transparency in an increasingly complex threat landscape.
IBM’s Response and Legal Outlook
In response to the surfacing allegations, IBM spokesperson Miki Carver declined to address specific questions regarding the lawsuit and its underlying accusations. Instead, Carver provided a statement to TechCrunch, emphasizing, “This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.” This statement, while legally cautious, does not directly refute the claims of breaches or cover-ups, instead focusing on the Department of Justice’s decision not to join the suit.
Meanwhile, Jason Brown, the lawyer representing William Barlow, has indicated a determined approach to the litigation. Speaking to TechCrunch, Brown affirmed, “We’re looking forward to aggressively litigating the matter.” He underscored the gravity of the situation with a pointed observation: “You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company.” This legal battle is expected to be closely watched, not just for its outcome, but for the potential revelations it could bring regarding corporate cybersecurity practices and accountability.
The Bottom Line
The allegations against IBM are more than just a legal dispute; they represent a significant challenge to the credibility of a technology stalwart and underscore the pervasive issues of corporate accountability and transparency in the digital age. If proven true, these claims expose critical failures in internal security, a potential disregard for ethical disclosure, and a jarring disconnect between IBM’s public image as a cybersecurity leader and its alleged internal reality. The outcome of this lawsuit could set a precedent for how major corporations handle significant breaches, reinforcing the growing expectation for timely disclosure and rigorous internal security, especially for those entrusted with protecting the world’s most sensitive data.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
{content}
Source: {feed_title}