Whistleblower Alleges IBM Concealed Multiple Data Breaches Over the Past Decade
In a recent lawsuit unsealed this week, William Barlow, IBM’s former Vice President of Threat Intelligence, has accused the company of experiencing multiple data breaches orchestrated by foreign governments between 2013 and 2016 and subsequently covering them up. Barlow’s allegations suggest that IBM’s core network was routinely hacked by foreign state actors and others, with data frequently stolen and government agencies never notified.
The lawsuit, originally filed in 2020, claims that Chinese hackers, specifically the group known as APT 10, infiltrated IBM’s core network during the specified period. Despite being aware of these breaches, IBM allegedly failed to disclose them to the public or relevant government authorities. This is particularly concerning given IBM’s role as a major cybersecurity vendor to the U.S. federal government.
Barlow’s complaint details that in March 2017, intelligence officials from the Five Eyes alliance—which includes Australia, Canada, New Zealand, the United Kingdom, and the United States—alerted IBM to the breaches. An internal investigation revealed that APT 10 had potentially accessed IBM’s network over 56,000 times between 2013 and 2016. However, due to inadequate logging practices, IBM was unable to determine the full extent of the breaches. Despite these findings, the company did not inform any authorities or its government clients.
The complaint also alleges that IBM’s subsidiaries, Trusteer and Truven, acquired in 2013 and 2016 respectively, were breached in 2018 and multiple times post-acquisition. In both instances, IBM is accused of failing to properly investigate and disclose these breaches.
IBM spokesperson Miki Carver responded to the allegations by stating, This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.
These revelations underscore the critical importance of transparency and robust cybersecurity practices, especially for companies entrusted with sensitive government data. The alleged concealment of such breaches raises significant concerns about the potential risks posed to national security and the integrity of confidential information.
