IBM accused of data breach cover-ups from over a decade ago

In a recently unsealed lawsuit, the former vice president of IBM’s threat intelligence claims the company was hacked “numerous” times, but never disclosed the incidents.

What happened

In a lawsuit filed in 2020, former IBM cybersecurity executive, William Barlow, alleged that IBM’s core network was breached multiple times between 2013 and 2016, along with at least two subsidiaries. He alleged that instead of disclosing the incidents, IBM covered up the breaches. Recently, a federal judge in New York ordered the suit be unsealed.

Going deeper

In the lawsuit, Barlow alleged that IBM was the victim of a Chinese-government linked hacking group known as APT 10. Barlow further said that intelligence officials from Australia, Canada, New Zealand, the United Kingdom, and the United States warned IBM of the breach in March 2017, prompting an internal investigation. According to the lawsuit, the investigation found that APT 10 potentially breached IBM’s network over 56,000 times between 2013 and 2016. The investigation was made more complex by Barlow’s allegation that IBM did not keep logs of who accessed the IBM network and at which times.

What was said

In the lawsuit, Barlow stated IBM’s core network was “routinely hacked by foreign state actors and others and further said that data was frequently stolen and government agencies were “never notified.” The complaint also alleged that IBM’s, as well as AT&T’s Core Networks’ infrastructure is “archaic,” allowing hackers to gain access to the system “numerous occasions.”

In response to the incident, IBM spokesperson, Miki Carver told TechCrunch, “This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.”

One of the lawyers on Barlow’s legal team told TechCrunch that his firm is “looking forward to aggressively litigating the matter.”

Why it matters

IBM is a leader in cybersecurity and one of the major vendors for the US federal government, providing government training and incident response assistance. On their website, IBM notes that they help the government with “cross-team communication breakdowns, resource issues and navigating new US Securities and Exchange Commission (SEC) incident reporting requirements.” The SEC reporting requirements IBM is referring to is specifically about reporting material data breaches in a timely manner, often within four days, unless reporting the incident could cause a national security risk.

The big picture

How the lawsuit is handled could lay the groundwork for how other large organizations with strong reputations treat cybersecurity failures. If the incident goes ignored, like IBM spokesperson Miki Carver suggested, it could imply that some organizations don’t need to adhere to strict cybersecurity requirements. If the lawsuit is pursued, like Barlow’s team plans, it would suggest that no organization is safe from legal action, no matter how large or influential it may be. Now that the lawsuit has been unsealed, the government may decide to take over the case if they believe it has validity. The issue is still pending before the federal court in New York.

FAQs

Why would the case be unsealed years later?

Since this is considered a whistleblower case, the lawsuit was likely sealed so that incident could be investigated privately without any danger to Barlow or reputational harm to IBM.

Who is APT 10?

APT 10 is a Chinese-sponsored cyberthreat group that has been active since 2009. The group frequently targets massive organizations, like IBM and AT&T to steal data that may be valuable to the Chinese government. The organization has been known to target various countries, including the United Kingdom, Japan, Switzerland, India, and others.

How could IBM be breached so many times?

While the number of times IBM was allegedly breached is staggering, each event was likely connected to similar vulnerabilities. IBM may have failed to notice entry points, and those may have been repeatedly abused. The sheer number of incidents shows the necessity of auditing and regular risk assessments.