Allegations of a Decade-Long Concealment
A bombshell lawsuit, recently unsealed, accuses technology giant IBM and its partner AT&T of deliberately concealing multiple data breaches by foreign governments over the past decade. The legal action, filed in 2020 by William Barlow, a former Vice President of Threat Intelligence at IBM, alleges that the companies not only failed to disclose these security incidents but actively worked to cover them up. The alleged breaches, which reportedly occurred between 2013 and 2016, involved infiltrations of IBM's core network and data it maintained in partnership with AT&T.
Barlow's complaint asserts that Chinese hackers, specifically the group known as APT 10, infiltrated IBM's core network, potentially breaching it more than 56,000 times during that period. The lawsuit also claims that at least two IBM subsidiaries were compromised, and these incidents were similarly concealed. The former executive alleges he personally witnessed numerous breaches and was pressured by executives to "tone down" internal reports and omit crucial details to avoid public distrust and negative market performance.
Compromised Networks and Lack of Basic Security
The lawsuit paints a troubling picture of IBM's internal security practices, alleging that the company and AT&T lacked basic security controls. According to Barlow, IBM did not keep logs of who accessed its network and when, a fundamental security practice, which hampered further investigation into the extent of the breaches. This alleged lack of logging and network segmentation, particularly for AT&T-managed VPN connections into IBM cloud services, allowed foreign hackers to move freely within the IBM cloud.
An internal investigation, reportedly prompted by a 2017 warning from the Five Eyes alliance (intelligence services from the US, UK, Canada, Australia, and New Zealand), confirmed deep infiltration of the system. However, due to the absence of network access logs, the company could not fully determine the scale of the attack. The complaint further alleges that the data breaches were so extensive and the core networks so poorly designed that neither IBM nor AT&T could definitively ascertain what data was compromised, by whom, or whether any data was exfiltrated, altered, or modified.
Implications for Government Contracts and Corporate Accountability
The accusations are particularly significant given IBM's role as a major cybersecurity vendor to the U.S. federal government. Barlow's lawsuit alleges that IBM made false assurances about the security of its systems to win and retain billions of dollars in federal contracts. The complaint, filed under the False Claims Act, allows private whistleblowers to sue for alleged fraud against the government.
IBM has responded by stating that the complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. An IBM spokesperson expressed confidence that the company's actions followed the law. However, the unsealing of this lawsuit raises critical questions about corporate transparency, the protection of sensitive government information, and the responsibility of companies to disclose security compromises, especially when holding contracts with federal agencies and the military.