A former high-ranking cybersecurity executive at IBM has filed a lawsuit accusing the technology giant of concealing multiple significant data breaches, some allegedly perpetrated by foreign state-sponsored hacking groups. William Barlow, who previously served as IBM’s vice president of threat intelligence until August 2019, claims the company failed to disclose breaches that occurred over several years, despite the sensitive nature of the data potentially compromised and IBM’s role as a key cybersecurity vendor to the U.S. federal government.

The lawsuit, unsealed recently but initially filed in 2020, details allegations that IBM’s core network was repeatedly infiltrated by foreign actors between 2013 and 2016. Barlow asserts that the company concluded these intrusions were carried out by Chinese hackers, specifically mentioning the APT 10 group, which has been linked to the Chinese government. Despite warnings from intelligence agencies within the Five Eyes alliance (Australia, Canada, New Zealand, the United Kingdom, and the United States) in March 2017, Barlow claims IBM did not notify relevant authorities or the public.

Further allegations suggest that IBM’s internal investigation into the APT 10 campaign revealed significant network compromise, affecting numerous servers and accounts across various business units and countries. Barlow contends that IBM’s ability to investigate was hampered by a lack of basic security practices, such as maintaining logs of network access. The complaint also points to alleged cover-ups of breaches affecting IBM subsidiaries, including Trusteer, acquired in 2013, and Truven, acquired in 2016, both of which Barlow claims suffered breaches after their acquisition by IBM.

In response to the lawsuit, an IBM spokesperson stated that the complaint was filed six years ago and that the Department of Justice declined to intervene. The company expressed confidence that its actions were lawful. Barlow’s legal team, however, has indicated an intent to vigorously pursue the case, emphasizing the apparent conflict between IBM’s alleged internal security failures and its business of providing cybersecurity services to government entities.

Key Takeaways

• A former IBM cybersecurity executive alleges the company covered up multiple data breaches, including intrusions by foreign state-sponsored hackers.
• The lawsuit claims IBM failed to notify government agencies and the public about breaches affecting its core network and subsidiaries.
• IBM has stated the lawsuit was filed years ago, the DOJ declined to intervene, and the company is confident in its legal compliance.

Editor’s Analysis & Impact

This lawsuit raises serious questions about corporate transparency and accountability in the cybersecurity sector. If Barlow’s allegations are proven true, they could have significant repercussions for IBM’s reputation, particularly given its extensive contracts with government agencies. The case highlights the ongoing challenge of detecting and disclosing sophisticated cyber threats, and the potential conflicts that arise when companies providing security services face their own vulnerabilities. The outcome could influence regulatory scrutiny and industry best practices regarding breach notification and internal security protocols, especially for companies handling sensitive government or corporate data.

Frequently Asked Questions

Q: Who is William Barlow and what is his role in the lawsuit against IBM?
A: William Barlow is a former vice president of threat intelligence at IBM. He filed a lawsuit alleging that IBM covered up multiple data breaches that occurred during his tenure.

Q: What specific hacking group is mentioned in the lawsuit?
A: The lawsuit specifically mentions APT 10, a hacking group linked to the Chinese government, as one of the alleged perpetrators of breaches against IBM's network.

Q: What is IBM's response to the allegations?
A: IBM has stated that the complaint was filed six years ago, the U.S. Department of Justice declined to intervene, and the company is confident that its actions complied with the law.