A lawsuit that was unsealed this week, but was filed back in 2020, has brought IBM's cybersecurity handling from years ago back into the spotlight. William Barlow, former vice president of threat intelligence at IBM, alleges that the company was repeatedly hacked by foreign governments over the past decade without reporting it to the authorities or disclosing it to the public.

The lawsuit focuses on intrusions between 2013 and 2016.

According to the lawsuit, IBM determined after an internal investigation that the APT10 hacking group, linked to the Chinese government, had infiltrated its core network between 2013 and 2016. Barlow stated that the incident was not further investigated until 2017, following a tip-off from intelligence officials from the Five Eyes intelligence alliance.

The lawsuit states that an internal investigation suggests the attacks may have occurred more than 56,000 times over several years. IBM was unable to conduct further investigation because the company did not maintain logs recording who accessed the network and when, a fundamental security measure.

• The lawsuit alleges that four servers were compromised during the APT10 incident.
• Nearly 400 accounts and approximately 200 systems were accessed or affected.
• The impact extends to 18 countries and multiple business units.

The charges allege that the government was not notified.

In his lawsuit, Barlow stated that IBM's core network had long been compromised by foreign state actors and other attackers, with data frequently being stolen, but relevant government agencies "were never notified." He also claimed that IBM is a key cybersecurity provider for the U.S. federal government, making the cover-up all the more sensitive.

TechCrunch reports that an IBM spokesperson did not directly address the specific allegations in the lawsuit. IBM stated that the lawsuit was filed six years ago, and the U.S. Department of Justice did not intervene at the time; the company believes its actions were in accordance with the law.

Two subsidiaries were also charged.

In addition to the core network incident, Barlow also stated that at least two IBM subsidiaries were also compromised, but the company failed to properly investigate and disclose these breaches. These include Trusteer, a cybersecurity company acquired in 2013, and Truven, a healthcare data company acquired in 2016.

According to the lawsuit, Trusteer was compromised in 2018, and Truven has also experienced multiple security incidents since its acquisition. Barlow argues that IBM's handling of these incidents is similar to that of the core network incidents, exhibiting insufficient investigation and undisclosed issues.

Additional information:Barlow's lawyers stated that the team will continue to push for the case to proceed. Bloomberg had previously reported on the lawsuit.