Ex-IBM Exec Accuses Big Blue and AT&T of Covering Up Foreign Data Breaches
A former IBM cybersecurity executive is alleging that the IT giant and its cloud partner, AT&T, were repeatedly breached by foreign agents – including an ATP group from China – during the last decade and failed to report the intrusions to the federal government, a key user of Big Blue’s cloud platform.
At the same time, IBM officials falsely claimed that their cloud network was secure – even though they knew that wasn’t true – in order to gain lucrative contracts with federal agencies, according to William Barlow, who worked for IBM two different times from 2002 and had been the vendor’s vice president of threat intelligence until leaving the company in 2019.
Barlow made his allegations in an 86-page whistleblower compliant against both IBM and AT&T that was filed in 2020 but was made public this month after the federal government said it wouldn’t intervene in the lawsuit. The case is still pending before a U.S. District Court.
The allegations are wide-ranging, accusing the two major IT vendors of covering up multiple attacks by the foreign adversaries, including APT10, a China-nexus group that was particularly active in the 2010s and into the early years of the current decade. IBM and AT&T also are said to have had extraordinarily poor security measures in place – such as little to none segmentation of the network – that put sensitive data of commercial customers and government agencies, as well as their own, at high risk of being accessed and stolen.
An Easy Target
It made the network an easy target for foreign adversaries.
“The data breaches are so large and the Core Networks [of both vendors] so poorly designed that neither IBM nor AT&T knows exactly what data was breached, who breached the data, where the data was breached, when the data was breached or whether any data was exfiltrated, altered and/or modified in any respect,” the lawsuit alleges.
“IBM and AT&T would be able to determine all of this if they maintained the requisite and necessary audit control logs, which they do not,” the lawsuit adds. “For purposes of the False Claims Act, both the failure to disclose data breaches and the failure of the Core Networks to meet government security standards violate a wide range of federal cybersecurity rules and regulations.”
IBM spokesperson Miki Carver told TechCrunch that the “complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.”
Meanwhile, Jason Brown, a lawyer representing Barlow, told the news site that his law firm plans to “aggressively” litigate the case, adding that “you can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company.”
Tens of Thousands of Intrusions
In the lawsuit, Barlow says that in March 2017, IBM was notified by investigators of the Five Eyes collaborative – which includes Australia, New Zealand, Canada, the UK, and the United States – that the APT10 threat group had breached its network and accessed sensitive data. IBM was one of a large number of victims of the prolific China-nexus bad actors.
In 2018, the U.S. Justice Department indicted two key members of the group.
Barlow’s lawsuit noted an internal investigation by IBM into the Five Eyes warning that found that APT10 potentially breached the vendor’s systems 56,215 times between 2013 and 2016. However, the investigators couldn’t go much deeper because no access logs were kept that tracked the DNS requests to specific users or laptops that could have been searched for more evidence of compromise, according to the court document.
The investigators noted that “at the time of this report, the earliest attacker activity dates back to November 2017, with possible but as of yet unconfirmed activity dating back to January 2015. From the time of the onset of the investigation, attacker activity has been observed on a nearly daily basis. The attackers have compromised and/or accessed nearly 400 compromised accounts and almost 200 total systems and servers across every IBM business unit, eighteen countries, and multiple TBM products.”
Nothing Disclosed
Despite this, “no one from IBM – and upon information and belief – no one from AT&T, alerted the authorities or Federal Government regarding the data theft,” Barlow alleges.
Disclosure of such breaches has been an ongoing issue for governments, not only in the United States but also overseas. During the Biden Administration, agencies from the Federal Communications Commission to the Securities and Exchange Commission proposed and enacted stricter disclosure rules for companies.
Threat to National Security
Barlow in the lawsuit says he witnessed numerous incidents of data breaches of IBM systems and data theft and that he was directed by other IBM executives “to not take the necessary steps to determine the extent and seriousness of the hacking or the problem that led to the hacking. In fact, IBM consciously ignored the problem for so long that it may now be impossible to ever rid its extensive cloud data storage system of threats. This ‘head in the sand’ approach taken by IBM and AT&T jeopardizes national security.”
In addition, even as the data breaches piled up and the security weaknesses in the cloud environment were known by IBM officials, the company continued to contend when bidding for government contracts that the network was secure, a violation of such government regulations as the Federal Acquisition Regulations (FAR), Defense Federal Acquisitions Regulations (DFARS), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63 and NIST SP 800-171.
