A former executive from IBM's cybersecurity division alleges that the company concealed breaches related to Chinese hacking.

      TL;DR: A former vice president of threat intelligence at IBM claims the company concealed breaches by Chinese state hackers from 2013 to 2016 and did not inform federal authorities. The lawsuit is currently in court.

      William Barlow, who was IBM's vice president of threat intelligence until August 2019, has accused the company of hiding several data breaches linked to Chinese state-affiliated hackers. In a whistleblower lawsuit made public this week, he asserted that IBM was aware of the breaches but intentionally chose not to inform U.S. officials.

      The lawsuit was initially filed confidentially in 2020 and focuses on a hacking operation by APT 10, a group connected to the Chinese government, whose members were indicted in 2018. Christopher Wray, the then-FBI Director, remarked that the group's targets represented a "Who’s Who" of the global economy.

      Barlow claimed that an internal investigation at IBM identified over 56,000 possible intrusions by APT 10 from 2013 to 2016, indicating a significant breach. An internal report referenced in the lawsuit revealed that hackers accessed nearly 400 compromised accounts and almost 200 systems across various IBM business segments.

      The breaches affected 18 countries and multiple IBM products, with hackers also penetrating data IBM held in collaboration with AT&T, which is mentioned in the lawsuit.

      In March 2017, intelligence representatives from the Five Eyes alliance alerted IBM to the breach, leading to an internal probe. However, IBM was unable to fully determine the extent of the damage due to a lack of logging regarding network access—a fundamental security measure.

      Despite these findings, it is alleged that IBM did not report the breaches to relevant authorities. This concealment is notably concerning given that the U.S. government is one of its largest clients and IBM serves as a key cybersecurity provider for federal departments.

      Barlow described IBM's core network infrastructure as "archaic," allowing hackers to "roam almost anywhere undetected."

      The breaches also impacted areas beyond IBM's main network. Barlow alleged that Trusteer, a cybersecurity firm acquired by IBM in 2013, was breached in 2018, and that Truven, a healthcare data company IBM purchased in 2016 for $2.6 billion, experienced multiple breaches after the acquisition.

      In both instances, he accused IBM of inadequate investigation and failure to disclose the breaches.

      IBM's spokesperson Miki Carver chose not to respond to specific inquiries but stated to TechCrunch, "This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law."

      The DOJ's decision not to intervene does not conclude the case. A federal judge in New York has ordered the lawsuit to be unsealed. Barlow's attorney, Jason Brown, expressed to TechCrunch that his firm is "looking forward to aggressively litigating the matter," adding, "You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company."

      The case highlights an ongoing issue in corporate cybersecurity: breaches that go unreported. For example, Uber paid $148 million in 2018 after concealing a breach from 2016 that affected 57 million users, and the United Nations faced backlash for hiding a breach of its Geneva and Vienna offices.

      In response to the alleged breaches at IBM, new SEC regulations now require public companies to disclose significant cybersecurity incidents within four business days, though enforcement of these rules remains inconsistent.