William Barlow Alleges IBM And AT&T Covered Up Chinese Hackers’ Breaches

A lawsuit unsealed this week alleges that IBM and AT&T computer systems were repeatedly breached by foreign governments and that the companies concealed those intrusions from the US government, according to TechCrunch and Fortune.

“International Business Machines Corp”

Fortune

The complaint, filed in 2020 by William Barlow, says IBM concluded Chinese hackers breached its core network between 2013 and 2016 and then covered up the breaches and never disclosed them, while also alleging at least two IBM subsidiaries were breached and concealed as well.

Fortune

TechCrunch reports that Barlow said IBM’s core network was "routinely hacked by foreign state actors and others," adding that data was frequently stolen and government agencies were "never notified."

In response, IBM spokesperson Miki Carver declined to answer specific questions and told TechCrunch, "This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene."

The lawsuit says intelligence officials from the Five Eyes alliance—Australia, Canada, New Zealand, United States, and the United Kingdom—warned IBM of the breach in March 2017, prompting an internal investigation, according to TechCrunch.

According to the complaint as described by TechCrunch, that investigation concluded that APT 10 potentially breached IBM’s network more than 56,000 times between 2013 and 2016.

heise online

Fortune adds that AT&T operates this “Core Network” on behalf of IBM, and that the complaint alleges the hackers repeatedly infiltrated the network and that the companies sometimes couldn’t determine who got in or what was taken.

Fortune also quotes IBM spokesperson Adam Pratt saying, "IBM is confident that our actions followed the letter of the law," while noting that representatives of AT&T didn’t respond to requests for comment.

The complaint alleges IBM could not investigate further because it had not kept logs of who accessed its network and when, which TechCrunch describes as “a basic security practice.”

“A formercybersecurityexecutive atIBMhas accused the company of experiencing three cyberattacks by foreign governments over the past decade and subsequently concealing those incidents, according to alawsuit unsealed this week”

IndexBox

TechCrunch further reports that IBM then allegedly failed to alert any authorities or the U.S. government, one of its main customers, after the internal investigation concluded four servers were compromised in the APT 10 campaign.

In a separate account, heise online says the lawsuit was filed in a New York federal court in 2020 and remained pending, becoming public only after the US government did not exercise its option to intervene.

heise online also quotes IBM spokesman Adam Pratt explaining, "This complaint was filed six years ago, and the US Department of Justice declined to intervene," while describing the suit as based on the “False Claims Act.”