According to a former IBM cybersecurity officer, the business was hacked three times in the last ten years by foreign governments, and the intrusions were then concealed.
William Barlow, who served as IBM’s vice president of threat intelligence until August 2019, stated in a lawsuit that was unsealed this week but was filed in 2020 that the firm decided Chinese hackers had compromised its core network between 2013 and 2016 but that the corporation had concealed and never acknowledged the intrusions. At least two IBM subsidiaries were compromised, according to Barlow, and IBM reportedly concealed these intrusions.
In his complaint, Barlow claimed that IBM’s core network was “routinely hacked by foreign state actors and others,” that data was regularly taken, and that government organizations were “never notified.”
Despite the fact that the claimed breaches go back more than ten years, the revelation demonstrates that cyberattacks, especially those that target major publicly traded computer firms like IBM, are occasionally never reported to the public or the appropriate government agencies. The alleged deception is particularly noteworthy because IBM is a big cybersecurity vendor to the federal government of the United States. To combat this issue, a number of data breach reporting rules have been established in recent years.
The case was initially reported by Bloomberg, in which Miki Carver, an IBM representative, failed to respond to specific inquiries regarding the complaint and the underlying allegations. Carver told members of the press around that time that this complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is certain that we acted in accordance with the letter of the law.
Specifically, Barlow stated that APT 10, a Chinese government-affiliated group whose members were charged in 2018, targeted a “who’s who” of the world economy and that IBM was one of numerous victims of this hacking assault. The company’s network and the data it kept there in collaboration with AT&T were compromised by the hackers.
According to Barlow, an internal inquiry was started after intelligence officers from the so-called Five Eyes alliance, Australia, Canada, New Zealand, the United States, and the United Kingdom, warned IBM of the breach in March 2017.
The complaint states that the research found that between 2013 and 2016, APT 10 may have compromised IBM’s network over 56,000 times. Crucially, the corporation claimed that because it had not maintained logs of who accessed its network and when, a fundamental security procedure, it was unable to conduct an additional investigation.
Then, IBM reportedly neglected to notify the U.S. government, one of its primary clients, or any authorities.
From the complaints made, hackers have been able to gain access to the system on numerous occasions and can roam almost anywhere undetected because IBM’s and AT&T’s Core Networks’ infrastructure is archaic. IBM’s internal investigation found that four servers were compromised during the APT 10 hacking campaign.
In addition to the complaint made, an internal IBM report regarding the investigation into the breach stated the attackers have compromised and/or accessed nearly 400 compromised accounts and nearly 200 total systems and servers across every IBM business unit, eighteen countries, and multiple IBM products.
Barlow’s attorney Jason Brown also told the members of the press that his company is “looking forward to aggressively litigating the matter.”
Brown pointed out that users can’t sell cybersecurity to the federal government while allegedly having these security issues within their own company.
Other breaches that Barlow was aware of included Truven, a healthcare data firm that IBM acquired in 2016, which he claims was breached several times after the acquisition, and Trusteer, a cybersecurity startup that IBM acquired in 2013, which he claims was compromised in 2018.
Barlow charged IBM in both instances with neglecting to adequately look into and reveal these violations.
IBM and AT&T hold significant federal contracts to store U.S. military and government agency records. As a result, they are legally obligated to report cybersecurity breaches and data exfiltration. The whistleblower alleges that both companies made false assurances about their cybersecurity infrastructure. These false assurances helped them win and maintain billions of dollars in government business.
Furthermore, the suit alleges that IBM could not properly complete internal investigations. The reason, according to the whistleblower, is that IBM failed to follow basic security practices. For example, the company did not maintain network access logs.
IBM responded to the lawsuit through a company spokesperson. The spokesperson downplayed the allegations, stating that IBM is confident its actions followed the law. IBM also highlighted that the allegations are years old. Additionally, the company noted that federal authorities chose not to join the case.
AT&T and the U.S. government have not provided immediate public comments. The Department of Defense and the Department of Justice have also remained silent on the details of the unsealed complaint.
Meanwhile, Barlow’s legal counsel has indicated plans to aggressively litigate the matter independently.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
