Former IBM Executive Alleges Decade-Long Cover-Up of State-Sponsored Cyberattacks
A recently unsealed 2020 lawsuit filed by William Barlow, IBM’s former vice president of threat intelligence, accuses the company of concealing multiple cyber breaches including attacks by foreign governments over the past decade. Barlow, who left IBM in August 2019, claims the tech giant failed to disclose breaches of its core network and subsidiaries, despite evidence of extensive compromise.
The lawsuit centers on a 2013–2016 campaign attributed to APT 10, a Chinese state-linked hacking group indicted by the U.S. in 2018. According to Barlow, intelligence officials from the Five Eyes alliance (U.S., U.K., Canada, Australia, and New Zealand) warned IBM of the breach in March 2017, prompting an internal investigation. The probe found that APT 10 potentially breached IBM’s network over 56,000 times, compromising 400 accounts and nearly 200 systems across 18 countries and multiple business units. However, IBM allegedly did not retain access logs, hindering further investigation.
Barlow further alleges that IBM never notified government authorities or customers, including the U.S. federal government a major IBM client. The complaint describes IBM’s infrastructure as outdated and vulnerable, with hackers moving undetected across its systems. Additionally, Barlow claims breaches at two IBM subsidiaries: Trusteer (a cybersecurity firm acquired in 2013) in 2018 and Truven (a healthcare data company acquired in 2016), which was allegedly breached multiple times post-acquisition.
IBM has denied wrongdoing, stating the lawsuit is six years old and that the U.S. Department of Justice declined to intervene. The company maintains it acted within the law. Barlow’s lawyer has indicated plans to aggressively litigate the case, framing the allegations as incompatible with IBM’s role as a federal cybersecurity vendor.
The case highlights concerns over undisclosed breaches at major tech firms, even as stricter data breach notification laws have been enacted in recent years.
Merative cybersecurity rating report: https://www.rankiteo.com/company/merative
IBM cybersecurity rating report: https://www.rankiteo.com/company/ibm
"id": "MERIBM1780698286",
"linkid": "merative, ibm",
"type": "Cyber Attack",
"date": "1/2013",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'U.S. federal government and '
'other clients',
'industry': 'Technology',
'location': 'Global (18 countries)',
'name': 'IBM',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Cybersecurity',
'name': 'Trusteer',
'type': 'Subsidiary (Cybersecurity firm)'},
{'industry': 'Healthcare',
'name': 'Truven',
'type': 'Subsidiary (Healthcare data company)'}],
'customer_advisories': 'None issued',
'data_breach': {'data_exfiltration': 'Suspected',
'personally_identifiable_information': 'Potentially '
'(healthcare data)',
'sensitivity_of_data': 'Potentially high (healthcare data, '
'federal client data)'},
'date_detected': '2017-03',
'date_publicly_disclosed': '2020',
'description': 'A lawsuit filed by IBM’s former vice president of threat '
'intelligence, William Barlow, accuses IBM of concealing '
'multiple cyber breaches, including attacks by foreign '
'governments over the past decade. The lawsuit highlights a '
'2013–2016 campaign attributed to APT 10, a Chinese '
'state-linked hacking group, which allegedly breached IBM’s '
'network over 56,000 times, compromising 400 accounts and '
'nearly 200 systems across 18 countries and multiple business '
'units. IBM is also accused of failing to disclose breaches at '
'its subsidiaries Trusteer and Truven.',
'impact': {'brand_reputation_impact': 'Potential damage due to undisclosed '
'breaches',
'data_compromised': 'Yes',
'legal_liabilities': 'Potential regulatory and legal actions',
'operational_impact': 'Extensive compromise across multiple '
'business units',
'systems_affected': 'Nearly 200 systems'},
'investigation_status': 'Ongoing litigation',
'motivation': ['Espionage', 'Data exfiltration'],
'post_incident_analysis': {'root_causes': 'Outdated infrastructure, lack of '
'access log retention, delayed '
'response to intelligence warnings'},
'references': [{'source': 'Unsealed 2020 lawsuit filed by William Barlow'},
{'source': 'U.S. Department of Justice indictment of APT 10 '
'(2018)'}],
'regulatory_compliance': {'legal_actions': 'Lawsuit filed by former executive',
'regulations_violated': ['Potential violations of '
'data breach notification '
'laws'],
'regulatory_notifications': 'None reported'},
'response': {'communication_strategy': 'No public disclosure or customer '
'notifications',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'No'},
'threat_actor': 'APT 10 (Chinese state-linked hacking group)',
'title': 'Alleged Decade-Long Cover-Up of State-Sponsored Cyberattacks on IBM',
'type': ['State-sponsored cyberattack', 'Data breach'],
'vulnerability_exploited': 'Outdated and vulnerable infrastructure'}