Former cyber executive turned whistleblower accuses IBM of covering up several data breaches

A former IBM cybersecurity executive accused the company of getting hacked three times in the previous decade by foreign governments and then covering up the breaches.

In a lawsuit unsealed this week but filed in 2020, William Barlow, who was IBM’s vice president of threat intelligence until August 2019, said IBM concluded Chinese hackers breached its core network between 2013 and 2016 but that the company then covered up the breaches and never disclosed them. Barlow also said at least two IBM subsidiaries were also breached, and that IBM covered up those breaches as well.

Barlow alleged in his complaint that IBM’s core network was “routinely hacked by foreign state actors and others,” adding that data was frequently stolen and government agencies were “never notified.”

While the alleged breaches date back more than a decade, the news shows that cyberattacks, even those affecting large public tech companies such as IBM, sometimes never get disclosed, either to the public or to relevant government authorities. IBM is a major cybersecurity vendor to the U.S. federal government, which makes the alleged concealment especially significant. In the last few years, several data breach notification laws have been passed to counter this problem.

IBM spokesperson Miki Carver declined to answer specific questions about the lawsuit and the underlying accusations. Instead, Carver told TechCrunch, “This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.”

In particular, Barlow said IBM was among several victims of a hacking campaign carried out by APT 10, a Chinese government-linked group that then-FBI Director Christopher Wray said had targeted a “Who’s Who” of the global economy when its members were indicted in 2018. The hackers broke into both the company’s network and the data it maintained there in partnership with AT&T.

Barlow alleged that in March 2017, intelligence officials from Australia, Canada, New Zealand, United States, and the United Kingdom — the so-called Five Eyes alliance — warned IBM of the breach, which prompted an internal investigation.

According to the complaint, the investigation concluded that APT 10 potentially breached IBM’s network more than 56,000 times between 2013 and 2016. Crucially, the company said it could not investigate further because it had not kept logs of who accessed its network and when — a basic security practice.

IBM then allegedly failed to alert any authorities or the U.S. government, one of its main custome