Former cyber executive turned whistleblower accuses IBM of covering up several data breaches
Former cyber executive turned whistleblower accuses IBM of covering up several data breaches
前 IBM 网络安全高管变身举报人,指控 IBM 掩盖多起数据泄露事件
A former IBM cybersecurity executive accused the company of getting hacked three times in the previous decade by foreign governments and then covering up the breaches. In a lawsuit unsealed this week but filed in 2020, William Barlow, who was IBM’s vice president of threat intelligence until August 2019, said IBM concluded Chinese hackers breached its core network between 2013 and 2016 but that the company then covered up the breaches and never disclosed them. 一位前 IBM 网络安全高管指控该公司在过去十年中曾三次遭到外国政府黑客攻击,并随后掩盖了这些泄露事件。在一份本周解封但于 2020 年提交的诉讼中,曾任 IBM 威胁情报副总裁(直至 2019 年 8 月)的威廉·巴洛(William Barlow)表示,IBM 内部调查结论显示,中国黑客曾在 2013 年至 2016 年间入侵了其核心网络,但公司随后掩盖了这些入侵行为,且从未对外披露。
Barlow also said at least two IBM subsidiaries were also breached, and that IBM covered up those breaches as well. Barlow alleged in his complaint that IBM’s core network was “routinely hacked by foreign state actors and others,” adding that data was frequently stolen and government agencies were “never notified.” 巴洛还表示,至少有两家 IBM 子公司也遭到了入侵,而 IBM 同样掩盖了这些泄露事件。巴洛在诉状中声称,IBM 的核心网络“经常遭到外国国家行为体及其他势力的黑客攻击”,并补充说数据经常被窃取,而政府机构“从未收到通知”。
While the alleged breaches date back more than a decade, the news shows that cyberattacks, even those affecting large public tech companies such as IBM, sometimes never get disclosed, either to the public or to relevant government authorities. IBM is a major cybersecurity vendor to the U.S. federal government, which makes the alleged concealment especially significant. In the last few years, several data breach notification laws have been passed to counter this problem. Bloomberg first reported on the lawsuit. 尽管这些所谓的泄露事件可追溯到十多年前,但此消息表明,即使是影响 IBM 这样的大型上市科技公司的网络攻击,有时也永远不会向公众或相关政府部门披露。IBM 是美国联邦政府的主要网络安全供应商,这使得所谓的隐瞒行为显得尤为严重。过去几年中,为了应对这一问题,多项数据泄露通知法律已经出台。彭博社率先报道了这起诉讼。
IBM spokesperson Miki Carver declined to answer specific questions about the lawsuit and the underlying accusations. Instead, Carver told TechCrunch, “This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.” IBM 发言人米基·卡弗(Miki Carver)拒绝回答有关该诉讼及相关指控的具体问题。相反,卡弗告诉 TechCrunch:“这份诉状是六年前提交的,美国司法部当时拒绝介入。IBM 坚信我们的行为符合法律条文。”
In particular, Barlow said IBM was among several victims of a hacking campaign carried out by APT 10, a Chinese government-linked group that then-FBI Director Christopher Wray said had targeted a “Who’s Who” of the global economy when its members were indicted in 2018. The hackers broke into both the company’s network and the data it maintained there in partnership with AT&T. 具体而言,巴洛称 IBM 是 APT 10 发起的黑客行动的受害者之一。APT 10 是一个与中国政府有关联的组织,时任联邦调查局局长克里斯托弗·雷(Christopher Wray)在 2018 年起诉该组织成员时曾表示,他们针对的是全球经济中的“名人录”。黑客不仅入侵了该公司的网络,还窃取了其与 AT&T 合作维护的数据。
Barlow alleged that in March 2017, intelligence officials from Australia, Canada, New Zealand, United States, and the United Kingdom — the so-called Five Eyes alliance — warned IBM of the breach, which prompted an internal investigation. According to the complaint, the investigation concluded that APT 10 potentially breached IBM’s network more than 56,000 times between 2013 and 2016. Crucially, the company said it could not investigate further because it had not kept logs of who accessed its network and when — a basic security practice. IBM then allegedly failed to alert any authorities or the U.S. government, one of its main customers. 巴洛声称,2017 年 3 月,来自澳大利亚、加拿大、新西兰、美国和英国(即所谓的“五眼联盟”)的情报官员向 IBM 发出了入侵警告,这促使公司进行了内部调查。根据诉状,调查结论显示,APT 10 在 2013 年至 2016 年间可能入侵了 IBM 网络超过 56,000 次。关键在于,该公司表示无法进行进一步调查,因为它没有保留关于谁在何时访问其网络的日志——这本是一项基本的安全实践。据称,IBM 随后未能通知任何当局或其主要客户之一的美国政府。
“As IBM and AT&T’s Core Networks’ infrastructure is archaic, hackers have been able to gain access to the system on numerous occasions and can roam almost anywhere undetected,” read the complaint, which explained that IBM’s internal investigation concluded four servers were compromised in the APT 10 hacking campaign. “The attackers have compromised and/or accessed nearly 400 compromised accounts and almost 200 total systems and servers across every IBM business unit, eighteen countries, and multiple IBM products,” said an internal IBM report about the investigation into the breach, according to the complaint. “由于 IBM 和 AT&T 的核心网络基础设施陈旧,黑客能够多次进入系统,并可以在几乎任何地方畅行无阻而不被发现,”诉状中写道。诉状解释称,IBM 的内部调查结论显示,在 APT 10 的黑客行动中,有四台服务器遭到破坏。根据诉状中引用的 IBM 内部调查报告,“攻击者破坏和/或访问了近 400 个受损账户,以及遍布 IBM 每个业务部门、18 个国家和多个 IBM 产品的近 200 个系统和服务器。”
Jason Brown, a lawyer representing Barlow, told TechCrunch that his firm is “looking forward to aggressively litigating the matter.” “You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company,” said Brown. 代表巴洛的律师杰森·布朗(Jason Brown)告诉 TechCrunch,他的律所“期待着积极地处理此案”。布朗表示:“你不能在向联邦政府兜售网络安全服务的同时,却被指控公司内部存在这些安全问题。”
According to Barlow, other breaches he was aware of affected Trusteer, a cybersecurity startup acquired by IBM in 2013, which he says was breached in 2018; and Truven, a healthcare data startup IBM acquired in 2016, which he says was breached multiple times after the acquisition. In both cases, Barlow accused IBM of failing to properly investigate and disclose these breaches. 据巴洛称,他所知的其他泄露事件还影响了 Trusteer(IBM 于 2013 年收购的网络安全初创公司,据称在 2018 年遭到入侵)以及 Truven(IBM 于 2016 年收购的医疗数据初创公司,据称在被收购后多次遭到入侵)。在这两起案件中,巴洛都指控 IBM 未能对这些泄露事件进行适当的调查和披露。