IBM Under Fire as Former Executive Alleges Data Breach Cover-Ups

Allegations of Data Breach Cover-Ups by IBM

William Barlow, a former vice president of threat intelligence at IBM, has made serious allegations against the company regarding its handling of multiple data breaches attributed to foreign hackers, particularly the Chinese group APT 10. Barlow's claims come to light through a lawsuit that was unsealed recently, although it was initially filed in 2020. He argues that IBM failed to report these breaches, which spanned from 2013 to 2016, to relevant U.S. authorities, thereby undermining cybersecurity protocols and transparency.

Details of the Breaches

According to Barlow, IBM's core network was compromised on numerous occasions during the aforementioned period, with APT 10 reportedly penetrating the system over 56,000 times. The lawsuit claims that breaches not only affected IBM’s network but also included IBM subsidiaries, which were similarly left unreported to governmental agencies.

In his statements, Barlow noted that intelligence officials from Australia, Canada, New Zealand, the U.S., and the U.K. alerted IBM to the breaches in March 2017. An internal investigation was prompted, but Barlow alleges that IBM could not adequately review the extent of the breaches due to a lack of comprehensive logging data—a fundamental security oversight that he contends is typical of IBM's infrastructure.

Impact on Cybersecurity

The implications of Barlow’s accusations are significant, especially considering IBM's role as a major supplier of cybersecurity solutions to the federal government. By failing to notify the government about security vulnerabilities, Barlow asserts that IBM jeopardized not only its credibility but also the security posture of critical defense and governmental systems.

IBM has responded to the lawsuit by asserting compliance with legal regulations. Miki Carver, an IBM spokesperson, stated, "This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law."

Ongoing Legal Proceedings

Barlow’s attorney, Jason Brown, has expressed optimism about pursuing the case in court, emphasizing that it is contradictory for IBM to market its cybersecurity expertise while struggling with internal security issues. In addition to the major breaches linked to APT 10, Barlow referenced attacks on Trusteer and Truven, two companies acquired by IBM, which reportedly also suffered from undetected breaches that IBM failed to disclose or investigate.

As this case unfolds, it highlights the ongoing challenges within the cybersecurity landscape, where even prominent organizations may not be immune to sophisticated hacking efforts. Additionally, the concealment of such incidents raises critical questions about accountability and regulatory compliance, particularly for firms tasked with protecting sensitive data.