Former IBM cybersecurity exec accuses company of covering up years of Chinese hacking

TL;DR

IBM’s ex-threat intel VP alleges the company hid Chinese state hacker breaches from 2013-2016 and never told the feds. The case is now in court.

A former IBM cybersecurity executive has accused the company of concealing multiple data breaches by Chinese state-linked hackers. William Barlow served as IBM’s vice president of threat intelligence until August 2019. In a whistleblower lawsuit unsealed this week, he alleged IBM knew about the breaches and deliberately failed to notify US authorities.

The lawsuit was originally filed under seal in 2020. It centres on a hacking campaign by APT 10, a Chinese government-linked group whose members were indicted in 2018. Then-FBI Director Christopher Wray described the group’s targets as a “Who’s Who” of the global economy.

Barlow alleged that an internal IBM investigation found more than 56,000 potential APT 10 intrusions between 2013 and 2016. The scale was enormous. According to an internal report cited in the complaint, attackers accessed nearly 400 compromised accounts and almost 200 systems across every IBM business unit.

The breach spanned 18 countries and multiple IBM products. The hackers also infiltrated data IBM maintained in partnership with AT&T, which is also named in the lawsuit.

In March 2017, intelligence officials from the Five Eyes alliance warned IBM about the breach. That prompted an internal investigation. But IBM could not fully assess the damage because it had not kept logs of who accessed its network and when, a basic security practice.

Despite those findings, IBM allegedly never disclosed the breaches to authorities. The US government is one of its largest customers. IBM is a major cybersecurity vendor to federal agencies, which makes the alleged concealment particularly significant.

Barlow’s complaint described the company’s core network infrastructure as “archaic.” Hackers could “roam almost anywhere undetected,” it claimed.

The breaches extended beyond IBM’s core network. Barlow alleged that Trusteer, a cybersecurity startup IBM acquired in 2013, was breached in 2018. Truven, a healthcare data company IBM bought in 2016 for $2.6 billion, was breached multiple times after the acquisition.

In both cases, he accused IBM of failing to properly investigate or disclose the incidents.

IBM spokesperson Miki Carver declined to answer specific questions. She told TechCrunch: “This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.”

The DOJ’s decision not to intervene does not end the case. A federal judge in New York ordered the suit unsealed. Barlow’s attorney Jason Brown told TechCrunch his firm is “looking forward to aggressively litigating the matter.”

Brown added: “You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company.”

The case underscores a persistent problem in corporate cybersecurity: breaches that never come to light. Uber paid $148 million in 2018 after concealing a 2016 breach affecting 57 million users. The United Nations was caught hiding a breach of its Geneva and Vienna offices.

Since the alleged IBM breaches, new SEC rules have required public companies to disclose material cybersecurity incidents within four business days. Enforcement remains uneven.