Key Takeaways
- Former IBM cybersecurity VP William Barlow alleges that IBM’s core network was hacked by Chinese state‑linked group APT 10 multiple times between 2013‑2016 and that the company concealed the breaches.
- The lawsuit, filed in 2020 and unsealed this week, claims IBM failed to notify U.S. authorities or its federal government customers despite warnings from the Five Eyes alliance.
- Internal IBM investigations reportedly found over 56,000 intrusion attempts, compromised nearly 400 accounts, and affected systems in 18 countries, yet the company lacked basic logging to pursue further analysis.
- Barlow also alleges that two IBM subsidiaries—Trusteer (acquired 2013) and Truven Healthcare (acquired 2016)—were breached after acquisition and similarly covered up.
- IBM denies wrongdoing, stating the Department of Justice declined to intervene and that its actions complied with the law; the case highlights ongoing challenges with breach disclosure even among major cybersecurity vendors.
Background of the Lawsuit
In 2020 William Barlow, who served as IBM’s vice president of threat intelligence until August 2019, filed a complaint accusing the company of multiple cyber intrusions by foreign state actors and subsequent cover‑ups. The suit remained sealed until this week, when it was unsealed and reported by Bloomberg. Barlow’s allegations center on breaches that allegedly occurred between 2013 and 2016, a period when IBM was a leading provider of cybersecurity solutions to the U.S. federal government. The lawsuit seeks damages for what Barlow claims were deceptive practices that violated both contractual obligations and public trust.
Alleged APT 10 Intrusions
Barlow contends that IBM’s core network was repeatedly penetrated by APT 10, a hacking group linked to China’s Ministry of State Security. The complaint cites an internal IBM investigation that concluded APT 10 potentially accessed the network more than 56,000 times over the three‑year span. According to Barlow, the hackers stole data, created backdoors, and moved laterally across systems without detection. The alleged intrusions were said to have been discovered only after warnings from the Five Eyes intelligence alliance in March 2017.
Failure to Maintain Basic Logging
A critical point in Barlow’s complaint is IBM’s alleged lack of adequate network logging, which hampered any meaningful investigation. The suit asserts that because IBM did not retain records of who accessed its systems and when, the company claimed it could not conduct a deeper forensic analysis. This deficiency, Barlow argues, violated fundamental cybersecurity hygiene and left the breaches inadequately addressed, despite the availability of internal alerts and external warnings.
Scale of the Compromise
According to an internal IBM report referenced in the lawsuit, the APT 10 campaign compromised nearly 400 user accounts and affected almost 200 servers and systems across every IBM business unit, spanning 18 countries and multiple product lines. Four core servers were specifically identified as compromised. The complaint describes the compromised infrastructure as “archaic,” enabling attackers to roam undetected and exfiltrate sensitive information, including possibly proprietary threat‑intelligence data and customer information.
Impact on IBM Subsidiaries
Barlow also alleges that breaches extended to two IBM subsidiaries acquired during the period in question. Trusteer, a cybersecurity startup bought in 2013, purportedly suffered a breach in 2018 that IBM failed to properly investigate or disclose. Truven Health Analytics, acquired in 2016, reportedly endured multiple intrusions after the acquisition, with similar allegations of concealment. These claims suggest a pattern of inadequate post‑acquisition security integration and transparency within IBM’s broader corporate structure.
Government and Five Eyes Warnings
The lawsuit notes that in March 2017, officials from the Five Eyes alliance—Australia, Canada, New Zealand, the United Kingdom, and the United States—alerted IBM to the suspected APT 10 activity. Barlow claims this prompt triggered an internal review, yet IBM allegedly chose not to inform U.S. government agencies, despite being a major contractor for federal cybersecurity services. The failure to notify authorities is presented as a breach of both ethical duty and, potentially, legal obligations under emerging breach‑notification statutes.
IBM’s Official Response
IBM spokesperson Miki Carver declined to address the specific accusations, instead stating that the complaint was filed six years prior and that the U.S. Department of Justice had declined to intervene. Carver emphasized IBM’s confidence that its actions complied with the letter of the law. The company’s rebuttal hinges on procedural arguments rather than a substantive denial of the alleged intrusions, leaving the factual disputes to be resolved through litigation.
Legal and Industry Implications
Barlow’s lawyer, Jason Brown, characterized the case as a conflict of interest: “You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company.” The suit underscores a growing tension between corporations that market security services and their own internal security posture. It also highlights the relevance of recent data‑breach notification laws, which aim to compel timely disclosure to regulators and affected parties—laws that, according to the plaintiff, IBM allegedly ignored.
Broader Context of Undisclosed Breaches
The allegations fit into a broader pattern where large technology firms sometimes fail to disclose cyber incidents, either to avoid reputational damage or because of unclear regulatory obligations. Even though IBM is a prominent cybersecurity vendor, the suit suggests that internal shortcomings—such as poor logging, delayed investigations, and selective transparency—can persist. The outcome of this case may influence how other tech giants approach breach disclosure, especially when they serve as trusted advisors to government agencies.
Conclusion
The unsealed lawsuit brings serious accusations against IBM’s handling of multiple alleged state‑sponsored cyber intrusions and subsequent cover‑ups. While IBM maintains that its conduct was lawful, the claims presented by Barlow—supported by internal reports, Five Eyes warnings, and assertions about inadequate logging—raise significant questions about corporate accountability, breach transparency, and the trustworthiness of security vendors that serve critical national interests. As the litigation proceeds, its findings could have lasting repercussions for IBM, its government contracts, and industry‑wide standards for breach disclosure.