A former IBM cybersecurity executive accused the company of getting hacked three times in the previous decade by foreign governments and then covering up the breaches. 

In a lawsuit unsealed this week but filed in 2020, William Barlow, who was IBM’s vice president of threat intelligence until August 2019, said IBM concluded Chinese hackers breached its core network between 2013 and 2016 but that the company then covered up the breaches and never disclosed them. Barlow also said at least two IBM subsidiaries were also breached, and that IBM covered up those breaches as well.

Barlow alleged in his complaint that IBM’s core network was “routinely hacked by foreign state actors and others,” adding that data was frequently stolen and government agencies were “never notified.” 

While the alleged breaches date back more than a decade, the news shows that cyberattacks, even those affecting large public tech companies such as IBM, sometimes never get disclosed, either to the public or to relevant government authorities. IBM is a major cybersecurity vendor to the U.S. federal government, which makes the alleged concealment especially significant. In the last few years, several data breach notification laws have been passed to counter this problem.   

Bloomberg first reported on the lawsuit.

IBM spokesperson Miki Carver declined to answer specific questions about the lawsuit and the underlying accusations. Instead, Carver told TechCrunch, “This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.”

In particular, Barlow said IBM was among several victims of a hacking campaign carried out by APT 10, a Chinese government-linked group that then-FBI Director Christopher Wray said had targeted a “Who’s Who” of the global economy when its members were indicted in 2018. The hackers broke into both the company’s network and the data it maintained there in partnership with AT&T. 

Barlow alleged that in March 2017, intelligence officials from Australia, Canada, New Zealand, United States, and the United Kingdom — the so-called Five Eyes alliance — warned IBM of the breach, which prompted an internal investigation.

According to the complaint, the investigation concluded that APT 10 potentially breached IBM’s network more than 56,000 times between 2013 and 2016. Crucially, the company said it could not investigate further because it had not kept logs of who accessed its network and when — a basic security practice.

IBM then allegedly failed to alert any authorities or the U.S. government, one of its main customers. 

“As IBM and AT&T’s Core Networks’ infrastructure is archaic, hackers have been able to gain access to the system on numerous occasions and can roam almost anywhere undetected,” read the complaint, which explained that IBM’s internal investigation concluded four servers were compromised in the APT 10 hacking campaign.

“The attackers have compromised and/or accessed nearly 400 compromised accounts and almost 200 total systems and servers across every IBM business unit, eighteen countries, and multiple IBM products,” said an internal IBM report about the investigation into the breach, according to the complaint.

Jason Brown, a lawyer representing Barlow, told TechCrunch that his firm is “looking forward to aggressively litigating the matter.” 

“You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company,” said Brown. 

According to Barlow, other breaches he was aware of affected Trusteer, a cybersecurity startup acquired by IBM in 2013, which he says was breached in 2018; and Truven, a healthcare data startup IBM acquired in 2016, which he says was breached multiple times after the acquisition.

In both cases, Barlow accused IBM of failing to properly investigate and disclose these breaches.