Former IBM executive alleges company concealed state-linked cyber intrusions
William Barlow’s unsealed complaint accuses IBM of hiding network intrusions from 2013 to 2016, raising questions about the firm’s security credentials as a federal vendor.
A lawsuit unsealed this week, originally filed in 2020, alleges that IBM concealed multiple data breaches involving its core network and subsidiaries between 2013 and 2016. William Barlow, the former vice president of threat intelligence at IBM, claims the company failed to notify government authorities or the public about intrusions attributed to the Chinese state-linked group APT 10. The complaint asserts that IBM’s internal investigations confirmed significant network compromises, yet the firm did not disclose these incidents despite being a major vendor to the US federal government.
Barlow’s legal filing details that APT 10 potentially breached IBM’s network more than 56,000 times over the three-year period. An internal IBM report cited in the complaint stated that four servers were compromised, with attackers accessing nearly 400 accounts and almost 200 systems across 18 countries. The complaint further alleges that IBM failed to maintain basic access logs, which hindered the company’s ability to conduct a thorough investigation into the extent of the intrusion.
The allegations extend beyond IBM’s core operations to include two subsidiaries: Trusteer, acquired in 2013, and Truven, acquired in 2016. Barlow claims Trusteer was breached in 2018, while Truven suffered multiple breaches after its acquisition. In both instances, the former executive accused IBM of failing to properly investigate and disclose these security failures to relevant parties.
Intelligence officials from the Five Eyes alliance, comprising Australia, Canada, New Zealand, the United States, and the United Kingdom, allegedly warned IBM of the breach in March 2017. This warning prompted the internal investigation that Barlow now claims was mishandled. The complaint argues that IBM’s archaic infrastructure allowed hackers to roam undetected, compromising critical infrastructure and data held in partnership with AT&T.
IBM has defended its conduct, stating it is confident its actions followed the letter of the law. Spokesperson Miki Carver declined to comment on the specific accusations, noting that the US Department of Justice declined to intervene when the complaint was initially filed six years ago. Barlow’s lawyer, Jason Brown, indicated the firm intends to aggressively litigate the matter, arguing that a company cannot credibly sell cybersecurity services to the federal government while allegedly harbouring such severe internal security deficiencies.
