Former cyber executive turned whistleblower accuses IBM of covering up several data breaches

A erstwhile IBM cybersecurity enforcement accused the institution of getting hacked 3 times successful the erstwhile decennary by overseas governments and past covering up the breaches. 

In a suit unsealed this week but filed successful 2020, William Barlow, who was IBM’s vice president of menace quality until August 2019, said IBM concluded Chinese hackers breached its halfway web betwixt 2013 and 2016 but that the institution past covered up the breaches and ne'er disclosed them. Barlow besides said astatine slightest 2 IBM subsidiaries were besides breached, and that IBM covered up those breaches arsenic well.

Barlow alleged successful his ailment that IBM’s halfway web was “routinely hacked by overseas authorities actors and others,” adding that information was often stolen and authorities agencies were “never notified.” 

While the alleged breaches day backmost much than a decade, the quality shows that cyberattacks, adjacent those affecting ample nationalist tech companies specified arsenic IBM, sometimes ne'er get disclosed, either to the nationalist oregon to applicable authorities authorities. IBM is simply a large cybersecurity vendor to the U.S. national government, which makes the alleged concealment particularly significant. In the past fewer years, respective information breach notification laws have been passed to antagonistic this problem.   

Bloomberg first reported connected the lawsuit.

IBM spokesperson Miki Carver declined to reply circumstantial questions astir the suit and the underlying accusations. Instead, Carver told TechCrunch, “This ailment was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is assured that our actions followed the missive of the law.”

In particular, Barlow said IBM was among respective victims of a hacking run carried retired by APT 10, a Chinese government-linked radical that then-FBI Director Christopher Wray said had targeted a ‘Who’s Who‘ of the planetary system erstwhile its members were indicted successful 2018. The hackers broke into some the company’s web and the information it maintained determination successful concern with AT&T. 

Barlow alleged that successful March 2017, quality officials from the Australia, Canada, New Zealand, United States, and the United Kingdom — the alleged Five Eyes confederation — warned IBM of the breach, which prompted an interior investigation.

According to the complaint, the probe concluded that APT 10 perchance breached IBM’s web much than 56,000 times betwixt 2013 and 2016. Crucially, the institution said it could not analyse further due to the fact that it had not kept logs of who accessed its web and erstwhile — a basal information practice.

IBM past allegedly failed to alert immoderate authorities oregon the U.S. government, 1 of its main customers. 

“As IBM and AT&T’s Core Networks’ infrastructure is archaic, hackers person been capable to summation entree to the strategy connected galore occasions and tin roam astir anyplace undetected,” work the complaint, which explained that IBM’s interior probe concluded 4 servers were compromised successful the APT 10 hacking campaign.

“The attackers person compromised and/or accessed astir 400 compromised accounts and astir 200 full systems and servers crossed each IBM concern unit, eighteen countries, and aggregate IBM products,” said an interior IBM study astir the probe into the breach, according to the complaint.

Jason Brown, a lawyer representing Barlow, told TechCrunch that his steadfast is “looking guardant to aggressively litigating the matter.” 

“You can’t merchantability cybersecurity to the national authorities portion allegedly having these information problems wrong your ain company,” said Brown. 

According to Barlow, different breaches helium was alert of affected Trusteer, a cybersecurity startup acquired by IBM successful 2013, which helium says was breached successful 2018; and Truven, a healthcare information startup IBM acquired successful 2016, which helium says was breached aggregate times aft the acquisition.

In some cases, Barlow accused IBM of failing to decently analyse and disclose these breaches.