Ex-IBM Cybersecurity Executive Alleges Company Concealed Multiple Data Breaches

A former IBM cybersecurity executive has alleged that the company suffered three significant cyber intrusions by foreign government-linked hackers over the past decade and concealed them from the public.

The allegations are detailed in a lawsuit filed in 2020 that was only unsealed this week. William Barlow, who served as IBM’s vice president of threat intelligence until August 2019, claims the company determined that Chinese hackers had infiltrated its core network between 2013 and 2016. According to the lawsuit, IBM subsequently covered up the breaches and never publicly disclosed them. Barlow further alleges that at least two IBM subsidiaries were also compromised and that those incidents were similarly concealed.

In the complaint, Barlow alleges that IBM’s core network was “routinely hacked by foreign state actors and others,” claiming that data was repeatedly stolen while government agencies were never informed of the activity.

Although the alleged incidents date back more than a decade, the case highlights how cyberattacks affecting even major publicly traded technology companies can remain undisclosed. IBM’s position as a major cybersecurity contractor for the U.S. federal government makes the allegations particularly notable. In recent years, lawmakers have introduced and strengthened breach-notification requirements to address situations in which significant cyber incidents go unreported.

Bloomberg first reported on the lawsuit.

IBM spokesperson Miki Carver declined to comment on the specific allegations outlined in the filing. Instead, Carver said: “This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.”

A key part of Barlow’s claims involves a hacking campaign attributed to APT10, a group linked to the Chinese government. The organisation gained international attention when its members were indicted in 2018, with then-FBI Director Christopher Wray describing its victims as a virtual “Who’s Who” of the global economy.

According to Barlow, the hackers breached both IBM’s internal network and the systems the company operated in partnership with AT&T.

The lawsuit states that intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States — collectively known as the Five Eyes alliance — alerted IBM to the breach in March 2017, triggering an internal investigation.

According to the complaint, that investigation concluded APT10 may have breached IBM’s network more than 56,000 times between 2013 and 2016. The filing further claims the company could not determine the full extent of the compromise because it had not retained adequate logs showing who accessed its systems and when, a standard cybersecurity practice.

Barlow alleges that despite those findings, IBM did not notify government authorities or the U.S. government, one of its largest customers.

The complaint argues that outdated infrastructure in IBM’s and AT&T’s core networks enabled them to repeatedly gain access to and move through systems with little detection. Internal investigators reportedly concluded that four servers were compromised during the APT10 campaign.

According to the lawsuit, an internal IBM report stated that attackers had compromised or accessed nearly 400 accounts and close to 200 systems across multiple business divisions, products, and countries.

Jason Brown, an attorney representing Barlow, said his legal team is prepared to pursue the case aggressively.

“You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company,” Brown said.

Beyond the APT10 allegations, Barlow claims he was aware of additional breaches involving IBM-owned businesses. He alleges that Trusteer, a cybersecurity company acquired by IBM in 2013, was breached in 2018. He also claims that Truven, a healthcare data company acquired in 2016, suffered multiple cyber incidents after becoming part of IBM.

In both situations, Barlow alleges that IBM failed to investigate the incidents adequately and did not properly disclose the breaches.