In a lawsuit unsealed this week but filed in 2020, William Barlow, who was IBM’s vice president of threat intelligence until August 2019, said IBM concluded Chinese hackers breached its core network between 2013 and 2016 but that the company then covered up the breaches and never disclosed them. Barlow also said at least two IBM subsidiaries were also breached, and that IBM covered up those breaches as well.
Barlow alleged in his complaint that IBM’s core network was “routinely hacked by foreign state actors and others,” adding that data was frequently stolen and government agencies were “never notified.”
A former senior cybersecurity executive at IBM has accused the company of concealing several major cyber breaches allegedly carried out by foreign government-linked hackers over the course of the last decade, according to a lawsuit that was filed in 2020 and unsealed this week.
The lawsuit, brought by former IBM Vice President of Threat Intelligence William Barlow, claims that IBM’s core network was repeatedly compromised between 2013 and 2016 in a hacking campaign allegedly linked to Chinese state-backed actors. Barlow alleges that IBM concluded its systems had been infiltrated but did not disclose the incidents to authorities or the public.
According to the complaint, internal investigations at IBM reportedly found that advanced persistent threat group APT10 may have breached IBM systems tens of thousands of times during that period. The filings also allege that at least two IBM subsidiaries were affected and that sensitive data was accessed across multiple business units and countries.
Barlow further claims that IBM and its partner AT&T experienced intrusions within shared network infrastructure, and that limitations in logging and monitoring systems made it difficult to fully assess the scope of the breaches. The complaint describes IBM’s internal security environment as outdated in parts, allegedly enabling attackers to move laterally through systems undetected.
The lawsuit also alleges that IBM did not notify government agencies or affected customers, despite the company being a major cybersecurity provider for U.S. federal institutions. IBM has not publicly addressed the specific allegations in detail, but a company spokesperson said the case was filed years ago and that the U.S. Department of Justice declined to intervene, adding that IBM believes its actions complied with applicable law.
Barlow’s filing also references additional alleged breaches involving IBM-acquired subsidiaries, including Trusteer and Truven, which he claims were compromised after acquisition and not properly disclosed.
Legal representatives for Barlow say they intend to aggressively pursue the case, arguing that companies selling cybersecurity services must be held to high internal security standards.
