IBM Accused of Covering Up Multiple Data Breaches by Former Cybersecurity Executive

A former IBM cybersecurity executive has come forward with allegations that the company was hacked multiple times by foreign governments and covered up the breaches. William Barlow, who served as IBM's vice president of threat intelligence until August 2019, filed a lawsuit in 2020 that was unsealed this week. According to Barlow, IBM's core network was breached by Chinese hackers between 2013 and 2016, and the company covered up the breaches, failing to notify government agencies or the public.

Barlow's lawsuit alleges that IBM's core network was "routinely hacked by foreign state actors and others," with data frequently stolen. He also claims that at least two IBM subsidiaries were breached, and that the company covered up these breaches as well. The alleged breaches date back more than a decade, but the news highlights the ongoing issue of cyberattacks going undisclosed, even by large public tech companies like IBM.

The lawsuit specifically mentions that IBM was a victim of a hacking campaign carried out by APT 10, a Chinese government-linked group. In 2018, then-FBI Director Christopher Wray said that APT 10 had targeted a "Who's Who" of the global economy. According to Barlow, intelligence officials from the Five Eyes alliance warned IBM of the breach in March 2017, prompting an internal investigation.

The investigation concluded that APT 10 potentially breached IBM's network more than 56,000 times between 2013 and 2016. Despite the severity of the breaches, IBM allegedly failed to alert any authorities or the U.S. government, one of its main customers.

An internal IBM report described the breach as compromising "nearly 400 compromised accounts and almost 200 total systems and servers across every IBM business unit, eighteen countries, and multiple IBM products." IBM spokesperson Miki Carver declined to answer specific questions about the lawsuit, stating that the company is "confident that our actions followed the letter of the law." Barlow's lawyer, Jason Brown, said that his firm is "looking forward to aggressively litigating the matter." Brown also stated that "you can't sell cybersecurity to the federal government while allegedly having these security problems within your own company." In addition to the alleged breaches at IBM, Barlow claims that other breaches occurred at Trusteer, a cybersecurity startup acquired by IBM in 2013, and Truven, a healthcare data startup IBM acquired in 2016. Barlow accused IBM of failing to properly investigate and disclose these breaches, which raises questions about the company's cybersecurity practices and its transparency with customers and government agencies.