IBM Faces Whistleblower Allegations Over Alleged Breach Cover-Ups IBM is embroiled in a cybersecurity controversy following a whistleblower lawsuit filed by William Barlow, its former vice president of threat intelligence. Barlow alleges the tech giant concealed multiple data breaches, including attacks linked to foreign state actors, while providing security assurances to government clients. The lawsuit claims IBM’s core network was "routinely hacked" by foreign and unidentified hackers, with senior leadership allegedly pressuring teams to downplay internal findings and avoid full disclosure. The complaint also implicates AT&T, which operated a cloud system called Core Network on IBM’s behalf, serving parts of the U.S. federal government. According to the filing, both companies allegedly failed to properly notify government clients of breaches, potentially leaving sensitive data exposed. The case highlights broader concerns about breach transparency, particularly for vendors handling critical infrastructure. If proven, the allegations could erode trust in enterprise cybersecurity practices, as delayed disclosures give attackers more time to exploit vulnerabilities. The lawsuit also raises questions about vendor accountability, especially for companies managing government contracts where sensitive data including military, employee, and citizen information is at stake. While the allegations remain unproven, the case underscores the risks of supply-chain attacks, where hackers target vendors to access multiple clients. For businesses relying on third-party providers, the incident serves as a reminder to scrutinize breach-notification terms in contracts, ensuring clear protocols for incident reporting and response. The lawsuit is pending, with IBM and AT&T yet to formally respond in court. The outcome could set a precedent for how major tech firms handle breach disclosures, particularly when government clients are involved.

Critical AI Framework Vulnerability Exposes Millions to Remote Code Execution Researchers at OX Security have uncovered a severe architectural flaw in the Model Context Protocol (MCP), a communication standard developed by Anthropic and embedded in AI frameworks across Python, TypeScript, Java, and Rust. The vulnerability enables remote code execution (RCE), exposing sensitive data including API keys, internal databases, and chat histories across the AI supply chain. The flaw affects Flowise, a widely used open-source AI workflow builder, and extends to over 200,000 vulnerable instances, with 150 million downloads and 7,000 publicly accessible servers at risk. During testing, OX Security successfully executed live commands on six production platforms, demonstrating the flaw’s real-world impact. Key Exploitation Vectors Identified: - Unauthenticated UI injection in major AI frameworks. - Hardening bypasses in "protected" environments like Flowise. - Zero-click prompt injection in AI IDEs (e.g., Windsurf, Cursor). - Malicious MCP server distribution, with 9 out of 11 registries compromised in testing. At least ten CVEs have been issued, covering critical vulnerabilities in platforms such as LiteLLM, LangChain, GPT Researcher, DocsGPT, and IBM’s LangFlow. Despite OX Security’s recommendations for root-level patches, Anthropic declined to implement protocol-wide fixes, describing the behavior as "expected." The company did not oppose the public disclosure of the findings. The incident underscores systemic risks in AI infrastructure, with the flaw inherited by any developer building on MCP expanding the attack surface across the ecosystem. Security teams are advised to restrict public exposure of AI services, treat MCP inputs as untrusted, and enforce sandboxed environments. Patches for affected platforms are now available.

Chinese-Linked APT Group Salt Typhoon Suspected in IBM Italy Subsidiary Breach In late April 2026, Italian cybersecurity authorities detected a significant breach at Sistemi Informativi, an IBM Italy subsidiary that manages IT infrastructure for critical public and private institutions. The incident, first reported by La Repubblica, has raised alarms over the expanding reach of Chinese-linked cyber operations in Europe. IBM confirmed the attack, stating it had "identified and contained a cybersecurity incident" and restored affected systems, though details on the breach’s scope remain undisclosed. The company’s website was temporarily taken offline during containment efforts. Multiple intelligence sources suggest the China-associated advanced persistent threat (APT) group Salt Typhoon is behind the attack. If confirmed, this would mark one of the most ambitious cyber intrusions targeting Italy’s public infrastructure in recent years. Active since at least 2019, Salt Typhoon has intensified its operations over the past two years, specializing in supply-chain attacks and zero-day exploits. The group is known for its technical precision, avoiding broad phishing campaigns in favor of infiltrating networks through vulnerabilities in widely used systems, such as Citrix and Cisco. Recent targets include Viasat, Canadian telecom firms, the U.S. Army National Guard, and Dutch government networks all characterized by prolonged data exfiltration and silent reconnaissance. As a key IT provider for Italian institutions, Sistemi Informativi’s compromise could expose sensitive data and critical infrastructure connections, enabling attackers to map and potentially disrupt national digital systems. The breach underscores a growing vulnerability: third-party IT providers serving as high-value targets, where a single compromise can grant access to multiple government and private-sector networks. The incident reflects broader trends in cyber warfare, where state-linked APTs increasingly exploit supply-chain weaknesses and AI-driven tactics to infiltrate critical infrastructure. For Italy and Europe, the attack highlights the need for stronger defenses and enhanced coordination between governments, industry, and intelligence agencies.

IBM Reports Record-Breaking Data Breach Costs in 2024, Highlighting Critical Security Gaps In 2024, the average cost of a data breach reached a record $4.88 million, with the healthcare sector facing even steeper losses at $9.8 billion, according to IBM. The rising financial toll underscores the urgent need for robust cybersecurity measures across industries, regardless of business size. Experts emphasize that proactive, layered security is essential to mitigating risks. Key strategies include: - Regularly updating software and security tools (e.g., firewalls, antivirus) to patch vulnerabilities. - Implementing multi-factor authentication (MFA) and strict access controls to limit unauthorized entry. - Securing cloud data through tools like Cloud Access Security Brokers (CASBs), which monitor and block suspicious activity in real time. Notably, businesses not cloud providers are responsible for their own data security under the shared responsibility model. - Frequent data backups (both local and cloud-based) to ensure quick recovery in case of a breach. Human error remains a leading cause of breaches, with 68% of incidents in 2024 involving non-malicious employee actions, per Verizon’s Data Breach Investigations Report. Phishing, weak passwords, and improper data handling are common pitfalls. To combat this, companies are urged to train employees on security protocols, including recognizing phishing attempts and adhering to strict password policies. Advanced protections, once reserved for large enterprises, are now accessible to smaller businesses. Solutions like AI-driven threat detection, continuous monitoring, and MFA are increasingly affordable and effective against evolving cyber threats. As cybercriminals leverage AI and sophisticated hacking techniques, businesses must adopt multi-layered defenses to stay ahead. The article highlights that internal breaches often the hardest to detect pose significant risks, reinforcing the need for ongoing vigilance and adaptive security measures.

IBM Patches Critical Authentication Bypass Flaw in API Connect (CVE-2025-13915) IBM has released security updates to address a critical authentication bypass vulnerability in its API Connect platform, tracked as CVE-2025-13915, which carries a CVSS score of 9.8. The flaw allows remote attackers to circumvent authentication controls, granting unauthorized access to affected applications without requiring user interaction or prior privileges. The vulnerability, classified under CWE-305 (Authentication Bypass by Primary Weakness), stems from a failure in enforcing authentication checks under specific conditions. Exploitation could lead to a full compromise of confidentiality, integrity, and availability within the affected IBM API Connect environment, exposing sensitive data and backend services. ### Affected Versions The flaw impacts the following IBM API Connect releases: - V10.0.8.0 through V10.0.8.5 - V10.0.11.0 IBM has released interim fixes (iFixes) for all affected versions and urges immediate patching. For organizations unable to apply updates immediately, a temporary mitigation involves disabling self-service sign-up on the Developer Portal, though this does not fully resolve the risk. ### Impact and Response Given the severity of the flaw, security teams are advised to prioritize remediation and review API access logs for signs of unauthorized activity. The vulnerability was published in the National Vulnerability Database (NVD) on December 26, 2025, with IBM listed as the source. IBM API Connect is widely used in enterprise environments for API management, developer access control, and secure integrations, making this flaw particularly high-risk for connected systems. Organizations running affected versions should assess their deployments and apply fixes without delay.

IBM Report Highlights AI-Driven Data Breaches as a Growing Threat to Organizations IBM’s latest Cost of a Data Breach Report reveals a critical vulnerability in the rush to adopt AI: a widening gap between AI governance and security oversight is leaving sensitive data exposed. The study, which analyzed 600 breached organizations across 17 industries worldwide, underscores the financial and operational risks of inadequate data protection in AI initiatives. Key findings include: - Operational disruption impacted 31% of breached organizations, with recovery costs and downtime straining resources. - AI supply chain and model attacks contributed to 60% of breaches, directly compromising data integrity. - Beyond immediate financial losses including regulatory fines breaches eroded customer trust, leading to reputational damage and churn. For chief data officers (CDOs) and data leaders, the report serves as a stark reminder of the dual challenge they face: accelerating AI-driven innovation while safeguarding data against evolving threats. The findings position data security not just as a technical issue but as a strategic leadership priority, demanding stronger governance frameworks to balance transformation with resilience.

The incident involves a 403 Forbidden error, indicating unauthorized or restricted access to an IBM web resource. While the error itself does not explicitly detail a cybersecurity breach, such errors can sometimes mask underlying security issues like misconfigured access controls, failed authentication attempts, or potential probing by malicious actors. If this error persists across critical systems or is part of a larger pattern (e.g., repeated unauthorized access attempts), it could signal a vulnerability in IBM’s web infrastructure—either an exposed endpoint, improper permission settings, or a precursor to a more severe attack (e.g., reconnaissance for a future breach). Without additional context, the direct impact remains unclear, but unauthorized access attempts or misconfigurations could lead to data exposure or system compromise if left unaddressed.

The incident involves a 403 Forbidden error, which typically indicates unauthorized access to a restricted resource on IBM’s systems. While the error message itself does not disclose specifics, such incidents can stem from misconfigured access controls, failed authentication attempts, or potential probing by malicious actors (e.g., cyber attackers testing for vulnerabilities). If this error resulted from an external attack—such as a brute-force attempt, credential stuffing, or exploitation of an exposed API—it could signal a security weakness in IBM’s web infrastructure. However, the provided details do not confirm data compromise, system breach, or operational disruption. The lack of further context (e.g., logs, incident reports) limits assessment to a potential low-impact security event, though it warrants investigation to rule out targeted reconnaissance or early-stage cyber threats.

The article highlights systemic vulnerabilities in IBM’s research, where organizations managing an average of 83 security tools from 29 vendors face severe operational inefficiencies. Fragmented architectures—exemplified by IBM’s findings—create blind spots, with 95% of security leaders admitting redundant tools lack full integration. This sprawl leads to 72-day delays in threat detection and 84-day delays in containment, directly enabling attackers to exploit gaps. The study underscores that one-third of breaches originate from phishing, with Secure Email Gateways (SEGs) failing to block an average of 67.5 phishing emails per 100 mailboxes monthly. Default configurations, misaligned protections, and unintegrated tools amplify risks, resulting in missed handoffs, poor detection, and inflated response costs. The cumulative effect is reputational damage, financial loss from prolonged breaches, and erosion of customer trust, particularly for smaller teams lacking resources to maintain defenses. IBM’s own data reveals that non-consolidated environments suffer 101% lower ROI compared to unified platforms, signaling systemic exposure to sophisticated social engineering and evolving threat tactics that bypass static defenses.

IBM experienced a cloud outage on Wednesday that lasted over four hours, causing users to be unable to access the console for managing their cloud resources or to open and view support cases. This outage repeated a similar incident from Tuesday. Additionally, IBM identified a critical-rated vulnerability in its QRadar threat detection and response tools and Cloud Pak for Security integration suite, which left a password in a configuration file. The vulnerability was scored 9.6 on the Common Vulnerability Scoring System, and IBM's security bulletin also advised of four other QRadar flaws.

The incident involves a 403 Forbidden error on an IBM web page, indicating unauthorized access or a misconfigured security restriction. While the error itself does not explicitly detail a cyberattack, it may suggest a potential access control vulnerability or an unintended exposure of internal systems. If exploited, such vulnerabilities could allow attackers to probe deeper into IBM’s infrastructure, potentially leading to data exposure or service disruptions. The incident reference number (18.561e1202.1762842001.646fd49b) implies internal tracking, but no public details confirm data breaches or operational impact. However, unaddressed access flaws could escalate into broader security risks, including credential stuffing, API abuses, or reconnaissance for targeted attacks. IBM’s global scale means even minor vulnerabilities could have cascading effects if left unresolved.

The incident involves a 403 Forbidden error, indicating unauthorized access to an IBM web resource (Incident ID: 18.ceb0f748.1757485191.4eafbe3). While the error itself does not confirm a breach, it suggests a potential misconfigured access control, exposed internal page, or failed security measure that could allow attackers to probe for vulnerabilities. If exploited, this could lead to unauthorized data exposure, credential harvesting, or further system infiltration. The lack of public details implies IBM may have mitigated the issue internally, but the incident highlights risks of improper access restrictions, which are common entry points for cyber attacks. Without evidence of data theft or operational disruption, the impact remains speculative but warrants classification as a security vulnerability requiring remediation to prevent escalation.

The article highlights IBM’s 2024 Cost of a Data Breach Report, which underscores escalating financial and operational damages from breaches due to prolonged investigations, regulatory scrutiny, and unauthorized data exposure—including leaks via ungoverned AI tools or improper file sharing. The report aligns with broader trends cited by ENISA (2024), noting persistent ransomware and data theft targeting sensitive corporate and customer data. These breaches exploit weak access controls, unclear permissions, and inadequate audit trails in virtual data rooms (VDRs), leading to costly remediation, reputational harm, and compliance violations. The financial impact is compounded by delayed incident response, where breaches involving high-value data (e.g., M&A documents, employee records, or customer PII) incur higher cleanup costs and regulatory penalties. The article implies that organizations using substandard VDRs face increased risk of insider threats, third-party leaks, or ransomware attacks, as demonstrated by real-world cases where unauthorized AI processing or mass downloads of sensitive files went undetected until post-breach forensics. The cumulative effect threatens deal integrity, investor trust, and long-term business viability, particularly in high-stakes sectors like finance, healthcare, or critical infrastructure.

Healthcare Data Breach Costs Drop, but U.S. Breaches Hit Record High in 2025 IBM’s 2025 Cost of a Data Breach Report reveals a mixed landscape for cybersecurity costs, with global averages declining for the first time in five years while U.S. breaches reach unprecedented levels. The study, based on data from 600 organizations across 16 countries and 17 industries, found that the global average cost of a data breach fell to $4.44 million, down from previous years. However, U.S. breaches surged to a record $10.22 million, a 9.2% increase from 2024, driven by higher regulatory fines and escalation costs. Healthcare remained the most expensive industry for breaches, though costs dropped significantly $7.42 million on average, down $2.35 million year-over-year. Despite the decline, healthcare breaches still took the longest to detect and contain (279 days), five weeks longer than the global average of 241 days, a nine-year low. Key Trends and Findings: - Initial Access Vectors: Phishing (16%) overtook stolen credentials (10%) as the top attack method, with supply chain compromise (15%) ranking second. - Ransomware: While attacks persist, fewer organizations paid ransoms 63% refused in 2025, up from 59% in 2024. Ransom demands averaged $5.08 million, but law enforcement involvement (now at 40%, down from 52%) reduced breach costs by $1 million when utilized. - Operational Impact: Nearly all breached organizations faced disruptions, with most taking over 100 days to recover. Nearly half (49%) planned to offset costs by raising prices, with a third considering increases of 15% or more. - Cost Drivers: Detection and escalation ($1.47 million), lost business ($1.38 million), and post-breach response ($1.2 million) remained the largest expense categories, though all saw slight declines. - Mitigation Factors: DevSecOps (-$227K), AI/ML-driven insights (-$223K), and security analytics (-$212K) were the most effective at reducing costs. Conversely, supply chain breaches (+$227K), security complexity (+$207K), and shadow IT (+$200K) unauthorized software or devices drove costs higher. Organizations with high shadow IT levels faced $670K more in breach expenses. - AI Risks: AI adoption outpaced governance, with 97% of breached organizations lacking proper AI access controls. 13% of organizations reported AI-related security incidents, while 16% of breaches involved attacker-used AI, primarily for phishing (37%) and deepfakes (35%). - Investment Shifts: Only 49% of organizations plan to increase cybersecurity spending in the next year, down from 66% in 2024, with less than half prioritizing AI-driven solutions. The report underscores persistent vulnerabilities in healthcare, the financial toll of delayed breach responses, and the growing risks of ungoverned AI and shadow IT in enterprise environments.

The California Office of the Attorney General disclosed that IBM suffered an unauthorized access incident affecting the Janssen CarePath platform, a database containing personal information. The breach was reported on September 22, 2023, though the exact date of the intrusion remains undisclosed. While the specifics of the compromised data were not detailed in the report, the incident involved the exposure of personal information, likely belonging to customers or patients associated with the platform. Given the nature of Janssen CarePath—a service supporting healthcare-related financial and treatment assistance—the breach raises concerns about potential misuse of sensitive health or personally identifiable information (PII). IBM has not publicly confirmed the scale of the breach or whether the exposed data was exfiltrated, but the involvement of a government authority suggests regulatory scrutiny and possible compliance implications under data protection laws like CCPA (California Consumer Privacy Act) or HIPAA (Health Insurance Portability and Accountability Act) if health data was impacted.

The IBM report highlights the escalating financial toll of data breaches in the healthcare industry, which consistently ranks as the most expensive sector for such incidents. Between May 2020 and February 2025, the average cost of a healthcare data breach surged to $10.93 million USD, the highest across all industries. These breaches often involve the exposure of highly sensitive patient records, including medical histories, treatment details, and personally identifiable information (PII). A typical incident in this sector may stem from a cyber attack—such as ransomware or targeted hacking—where threat actors exploit vulnerabilities in hospital IT systems or third-party vendors.The consequences extend beyond financial losses, disrupting critical healthcare services. For instance, a ransomware attack could encrypt patient databases, delaying emergency treatments, surgeries, or diagnostic procedures. In extreme cases, such disruptions have been linked to increased patient mortality rates. The breach’s ripple effects also erode public trust, trigger regulatory fines (e.g., HIPAA violations), and necessitate costly remediation efforts, including system overhauls and credit monitoring for affected individuals.Given the life-or-death stakes of healthcare data integrity, these breaches are classified among the most severe, often involving criminal hackers or state-sponsored groups targeting intellectual property (e.g., drug patents) or aiming to destabilize regional health infrastructure.

Four zero-day vulnerabilities impacted an IBM security product after the company refused to patch bugs following a private bug disclosure attempt. The bugs impacted the IBM Data Risk Manager (IDRM). It is an enterprise security tool that aggregates feeds from vulnerability scanning tools and other risk management tools to let admins investigate security issues. The compromise of product led to a full-scale company compromise, as the tool had credentials to access other security tools. It contained information about critical vulnerabilities that affect the company.

IBM and AT&T Accused of Covering Up Years-Long Data Breaches by Chinese Hackers A recently unsealed whistleblower lawsuit alleges that IBM and AT&T concealed multiple data breaches spanning from 2013 to 2016, including attacks attributed to Chinese state-backed hackers. William Barlow, IBM’s former vice president of threat intelligence, claims the company knew of breaches affecting its core network but failed to disclose them to authorities. The complaint asserts that Chinese threat actor APT 10 may have breached IBM’s systems over 56,000 times during the three-year period. Despite an alert from the Five Eyes intelligence alliance in 2017 prompting an internal investigation, IBM allegedly lacked critical logs to determine the scope of the breaches a lapse in standard security practices. The lawsuit further states that neither IBM nor AT&T could confirm what data was accessed, altered, or exfiltrated due to poor network design and insufficient logging. Barlow also alleges that breaches extended to at least two IBM subsidiaries, which were similarly concealed. AT&T, which managed IBM’s network infrastructure, is named in the complaint for its role in the alleged cover-up. IBM has denied wrongdoing, stating that the complaint filed six years ago was reviewed by the U.S. Department of Justice, which declined to intervene. A company spokesperson maintained that IBM’s actions complied with legal requirements. The case highlights long-standing concerns over corporate transparency in cybersecurity incidents involving state-sponsored threat actors.

Former IBM Executive Alleges Decade-Long Cover-Up of State-Sponsored Cyberattacks A recently unsealed 2020 lawsuit filed by William Barlow, IBM’s former vice president of threat intelligence, accuses the company of concealing multiple cyber breaches including attacks by foreign governments over the past decade. Barlow, who left IBM in August 2019, claims the tech giant failed to disclose breaches of its core network and subsidiaries, despite evidence of extensive compromise. The lawsuit centers on a 2013–2016 campaign attributed to APT 10, a Chinese state-linked hacking group indicted by the U.S. in 2018. According to Barlow, intelligence officials from the Five Eyes alliance (U.S., U.K., Canada, Australia, and New Zealand) warned IBM of the breach in March 2017, prompting an internal investigation. The probe found that APT 10 potentially breached IBM’s network over 56,000 times, compromising 400 accounts and nearly 200 systems across 18 countries and multiple business units. However, IBM allegedly did not retain access logs, hindering further investigation. Barlow further alleges that IBM never notified government authorities or customers, including the U.S. federal government a major IBM client. The complaint describes IBM’s infrastructure as outdated and vulnerable, with hackers moving undetected across its systems. Additionally, Barlow claims breaches at two IBM subsidiaries: Trusteer (a cybersecurity firm acquired in 2013) in 2018 and Truven (a healthcare data company acquired in 2016), which was allegedly breached multiple times post-acquisition. IBM has denied wrongdoing, stating the lawsuit is six years old and that the U.S. Department of Justice declined to intervene. The company maintains it acted within the law. Barlow’s lawyer has indicated plans to aggressively litigate the case, framing the allegations as incompatible with IBM’s role as a federal cybersecurity vendor. The case highlights concerns over undisclosed breaches at major tech firms, even as stricter data breach notification laws have been enacted in recent years.