Ex-IBM Exec Sues IBM and AT&T, Alleging Cover-Up of Major Government Hacks
A former IBM threat intelligence executive has filed a lawsuit accusing IBM and AT&T of hiding significant cybersecurity failures and breaches from government clients.
A former IBM Vice President of Threat Intelligence, William Barlow, has filed a lawsuit under the False Claims Act, alleging that both IBM and AT&T failed to implement basic security controls and actively concealed major cybersecurity breaches from government agencies. The lawsuit, initially filed under seal in 2020 and recently unsealed after the federal government declined to intervene, claims that these companies secured substantial government contracts despite known and unresolved cybersecurity deficiencies, potentially exposing sensitive federal data to compromise.
Barlow, who led threat intelligence at IBM from 2017 to 2019, asserts that critical security lapses occurred, including the lack of logs for AT&T-managed VPN connections into IBM cloud services and the absence of network segmentation. This allowed foreign state actors to move freely within IBM's cloud infrastructure, making detection and recovery efforts difficult. According to the lawsuit, executives allegedly chose to suppress warnings and evidence of active exploitation to avoid negative market impacts and preserve public trust.
IBM has responded to the allegations, with a spokesperson stating, "this complaint was filed six years ago, and the US Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law." AT&T did not provide a comment. The core of Barlow's claim is that the companies' inadequate security posture meant they could not accurately determine the scope of breaches, including what data was compromised, by whom, and when.
The lawsuit details specific instances where IBM allegedly received warnings about potential compromises. In 2017, U.S. and allied intelligence agencies alerted IBM to Chinese nation-state activity, specifically APT 10, penetrating the IBM cloud. An internal report cited in the suit indicated over 56,000 potential signs of APT 10 activity between 2013 and 2016, but these could not be investigated due to missing logs. IBM reportedly received another warning in 2018 from the U.K. National Cyber Security Centre regarding possible compromises linked to APT 10.
APT 10, a Chinese state-sponsored hacking group, has been implicated in widespread intellectual property theft and the compromise of sensitive data, including records of over 100,000 U.S. Navy personnel. The lawsuit highlights that the lack of proper network monitoring and slow implementation of endpoint detection and response capabilities, exacerbated by outsourcing to AT&T, led to a "loss of control" where adversaries could not be detected or stopped in a timely manner.
An internal IBM report referenced in the suit found that an earlier investigation into potential APT 10 activity was severely limited, only probing about 1% of relevant systems. This lack of visibility and control over the network infrastructure, coupled with the alleged suppression of findings, raises serious questions about the security assurances provided to government clients.
The allegations underscore a broader concern within the cybersecurity community regarding the diligence and transparency of major technology and telecommunications providers when handling sensitive government data. The False Claims Act allows private citizens to sue on behalf of the government for fraud, and the government can choose to intervene or let the case proceed without its participation.
This case, pending in Manhattan federal court, could have significant implications for government contracting and cybersecurity standards if Barlow's claims are substantiated. The alleged failures in basic security controls and the purported cover-up of breaches point to a systemic issue that could impact national security and the integrity of federal data.