Litigation,
Standards, Regulations & Compliance
Allegations of Security Failures at IBM and AT&T Unveiled in Lawsuit
In a significant legal development, IBM and AT&T are facing serious allegations that they concealed critical security vulnerabilities, as articulated by a former IBM executive’s newly unsealed lawsuit. This lawsuit has raised alarming questions about the state of cybersecurity practices within these two corporate giants. William Barlow, the former Vice President of Threat Intelligence at IBM, claims that the companies lacked fundamental security measures and actively obscured information surrounding nation-state hacking incidents from governmental oversight.
According to Barlow, one of the most glaring failures lay in the absence of proper logging for the VPN connections managed by AT&T that accessed IBM’s cloud services. More concerningly, he indicated that AT&T did not implement necessary network segmentation, which potentially allowed foreign hackers to roam freely within IBM’s cloud infrastructure. This absence of effective detection and recovery strategies led to a culture of silence, where executives allegedly chose to suppress alarms and evidence regarding ongoing exploits.
The allegations hinge on a False Claims Act lawsuit, originally filed in 2020. The case was sealed until recently when it came to light after the U.S. government decided not to join as a co-plaintiff. Now pending in Manhattan federal court, the lawsuit contends that IBM’s core network has been under consistent attack by foreign state actors.
During his tenure at IBM from 2017 to 2019, Barlow reports that his concerns regarding the company’s lax security protocols were persistently dismissed by senior management. He recounts being instructed by executives to “tone down” his findings and to modify critical information in reports, all in a bid to maintain public trust and prevent any potential decline in market performance.
In response to the unfolding controversy, an IBM spokesperson issued a statement asserting that this lawsuit was filed six years ago and reaffirmed the Department of Justice’s decision not to intervene. They further expressed confidence that their practices adhered to legal standards. As of now, AT&T has not issued any comments regarding the allegations.
The lawsuit details alarming patterns of neglect, indicating that IBM was reportedly warned in 2017 by U.S. and allied intelligence agencies about the Chinese nation-state hacking group known as APT 10, which posed a direct threat to its cloud infrastructure. An internal report cited in the lawsuit found that from 2013 to 2016, IBM identified over 56,000 indications of potential APT 10 activities. However, these alarming indicators could not be properly investigated due to inadequate logging practices.
The sheer magnitude of the alleged data breaches has raised red flags, with the lawsuit asserting that both IBM and AT&T do not possess an accurate understanding of the extent of the breaches. The claims suggest that neither company can definitively determine what data was compromised, who accessed it, or if any data was stolen.
Moreover, the lawsuit recounts that IBM received a subsequent warning in 2018 from the U.K. National Cyber Security Center regarding possible compromises associated with APT 10. Key figures from this hacking group were implicated in a U.S. federal indictment in 2018 for crimes including intellectual property theft and the hijacking of records from over 100,000 U.S. Navy personnel.
According to the internal IBM report referenced within the lawsuit, the lack of network monitoring following outsourcing to AT&T and the sluggish implementation of endpoint detection and response measures have culminated in a troubling “loss of control.” This has rendered the companies incapable of detecting adversary movements or curtailing malicious activities in a timely and efficient manner. Alarmingly, an earlier investigation into potential APT 10 activities was deemed inadequate as it only probed a mere 1% of relevant systems.