Former IBM cybersecurity chief accuses company of covering up Chinese hacking breach
The TL;DR
IBM’s former Intel VP says the company covered up violations of Chinese law from 2013-2016 and didn’t tell the feds. The case is in court.
A former IBM cybersecurity chief has accused the company of covering up multiple data breaches by state-linked Chinese hackers. William Barlow served as IBM’s vice president of threat intelligence until August 2019. In a whistleblower lawsuit filed this week, he alleges that IBM knew about the breach and willfully failed to notify US authorities.
The case was originally filed under seal in 2020. It focuses on the hacking campaign of APT 10, a group linked to the Chinese government whose members were indicted in 2018. Then-FBI Director Christopher Wray described the group’s goals as “Who’s Who” in the global economy.
Barlow alleged that an internal IBM investigation found more than 56,000 possible APT 10 logins between 2013 and 2016. The scale was huge. According to an internal report cited in the complaint, the attackers accessed nearly 400 compromised accounts and nearly 200 systems across IBM’s business units.
The breach covered 18 countries and multiple IBM products. The hackers also accessed IBM’s data stored in partnership with AT&T, which is also named in the case.
TNW City Coworking Space – Where your best work happens
A workplace designed for growth, collaboration, and endless networking opportunities at the heart of technology.
In March 2017, intelligence officials from the Five Eyes alliance warned IBM about the breach. That prompted an internal investigation. But IBM was unable to fully assess the damage because it did not keep logs of who accessed its network and when, a basic security practice.
Despite those findings, IBM is said to have never disclosed the breach to authorities. The US government is one of his biggest customers. IBM is a major vendor of cybersecurity to government agencies, making the alleged concealment particularly important.
Barlow’s complaint described the company’s network infrastructure as “the old one.” It says that cybercriminals “can roam almost anywhere undetected.
The breach extended beyond IBM’s core network. Barlow alleges that Trusteer, a cybersecurity startup IBM acquired in 2013, was breached in 2018. Truven, the healthcare data company IBM bought in 2016 for $2.6 billion, was breached multiple times after the acquisition.
In both cases, he accused IBM of failing to properly investigate or disclose the incidents.
IBM spokesman Miki Carver declined to answer specific questions. He told TechCrunch: “The complaint was filed six years ago, and the US Department of Justice declined to intervene. IBM is confident that our actions follow the letter of the law.“
The DOJ’s decision not to intervene does not end the case. A federal judge in New York ruled that the case be dismissed. Barlow’s attorney Jason Brown told TechCrunch that his company “We look forward to taking the matter to court.“
Brown added: “You can’t sell cybersecurity to the federal government when you allegedly have these security issues within your company.“
The case underscores an ongoing problem in corporate cybersecurity: breaches that never come to light. Uber paid $148 million in 2018 after covering up a 2016 breach that affected 57 million users. The United Nations was caught covering up the violations in its offices in Geneva and Vienna.
Since the alleged IBM breach, new SEC rules require public companies to disclose cyber security incidents within four business days. Law enforcement remains uneven.
