Whistleblower Alleges IBM Concealed Major Data Breaches by State-Sponsored Hackers

A former IBM cybersecurity executive has accused the company of concealing multiple data breaches that were carried out by foreign governments. William Barlow, who served as IBM's vice president of threat intelligence until August 2019, filed a lawsuit in 2020 that was unsealed this week. According to the complaint, Chinese hackers breached IBM's core network between 2013 and 2016, but the breaches were never disclosed to the public or to government authorities. Barlow also claimed that at least two IBM subsidiaries were breached and that those incidents were also covered up. Trusteer, a cybersecurity startup acquired by IBM in 2013, was breached in 2018. Truven, a healthcare data startup acquired in 2016, was breached multiple times after the acquisition. Barlow alleged that IBM failed to properly investigate or disclose any of these breaches. IBM's spokesperson, Miki Carver, declined to answer specific questions about the allegations. Instead, Carver stated that the U.S. Department of Justice had declined to intervene and that IBM was confident it had followed the law. The hackers are believed to be part of APT 10, a group linked to the Chinese government. In 2018, members of this group were indicted by the FBI. The complaint states that the hackers broke into IBM's network and also into data that was maintained in partnership with AT&T. In March 2017, intelligence officials from the Five Eyes alliance—Australia, Canada, New Zealand, the United Kingdom, and the United States—warned IBM of the breach. This warning prompted an internal investigation. The investigation concluded that APT 10 had potentially breached IBM's network more than 56,000 times. However, further investigation was impossible because logs of network access had not been kept—a basic security practice that should have been followed. The complaint also revealed that four servers were compromised and that nearly 400 accounts and almost 200 systems across every IBM business unit, in 18 countries, had been accessed. Jason Brown, Barlow's lawyer, said his firm was looking forward to aggressively litigating the matter. Brown argued that it is contradictory to sell cybersecurity to the federal government while having security problems within your own company. This case highlights how cyberattacks, even at major tech companies, can be concealed despite data breach notification laws that have been passed in recent years.