A former cyber executive turned whistleblower accuses IBM of covering up several data breaches

A former IBM cybersecurity executive has accused the company of being hacked three times in the past decade by foreign governments and then covering up the breaches.

In a lawsuit unsealed this week but filed in 2020, William Barlow, who was IBM’s vice president of threat intelligence until August 2019, said IBM concluded that Chinese hackers penetrated its core network between 2013 and 2016, but the company then covered up the breaches and never disclosed them. Barlow also said that at least two IBM subsidiaries were also hacked, and that IBM covered up those breaches as well.

Barlow alleged in his complaint that IBM’s core network was “routinely compromised by foreign state actors and others,” adding that data was often stolen and government agencies were “never notified.”

Although the alleged breaches go back more than a decade, news shows that cyberattacks, even those affecting large public technology companies like IBM, are sometimes never disclosed, either to the public or to relevant government authorities. IBM is a major cybersecurity supplier to the US federal government, making the alleged cover-up particularly significant. In the past few years, several data breach reporting laws have been passed to address this issue.

Bloomberg first reported on the lawsuit.

IBM spokesman Mickey Carver declined to answer specific questions about the lawsuit and the underlying charges. Instead, Carver told TechCrunch, “This complaint was filed six years ago, and the US Department of Justice has refused to intervene. IBM is confident that our actions followed the letter of the law.”

In particular, Barlow said IBM was among several victims of a hacking campaign carried out by the APT 10, a Chinese government-linked group that then-FBI Director Christopher Wray said targeted the “who’s who” of the global economy when its members were indicted in 2018. The hackers broke into the company’s network and the data it kept there in partnership with AT&T.

Barlow claimed that in March 2017, intelligence officials from Australia, Canada, New Zealand, the United States and the United Kingdom — the so-called Five Eyes alliance — warned IBM about the hack, triggering an internal investigation.

According to the complaint, the investigation concluded that APT 10 had hacked into the IBM network more than 56,000 times between 2013 and 2016. More importantly, the company said it could not investigate further because it did not keep logs about who accessed its network and when — a basic security practice.

IBM then allegedly failed to alert any authorities or the US government, one of its major clients.

“Because IBM and AT&T’s core network infrastructure is outdated, hackers have gained access to the system on numerous occasions and can roam almost anywhere without being detected,” said the complaint, which explained that IBM’s internal investigation concluded that four servers were compromised in the APT 10 hacking campaign.

“Attackers compromised and/or accessed approximately 400 compromised accounts and approximately 200 total systems and servers across every IBM business unit, eighteen countries, and multiple IBM products,” an IBM internal report on the breach investigation said.

Jason Brown, an attorney representing Barlow, told TechCrunch that his firm “looks forward to aggressively litigating this matter.”

“You can’t sell cybersecurity to the federal government when you allegedly have these security issues within your own company,” Brown said.

According to Barlow, other breaches he was aware of affected Trusteer, a cybersecurity startup acquired by IBM in 2013, which he says was hacked in 2018; And Truven, a healthcare data startup acquired by IBM in 2016, which he says was hacked multiple times after the acquisition.

In both cases, Barlow accused IBM of failing to properly investigate and disclose these violations.