Attorneys at Washington, DC-based law firm Butera & Andrews allege that an unidentified hacker working within IBM’s WebSphere services facility in Durham, N.C., secretly dropped malicious code into the firm’s e-mail server, giving the perpetrator unauthorized access to the system.
In a lawsuit filed against IBM in April, Butera & Andrews claims its servers were hit by the assailant’s code more than 40,000 times throughout 2005. The law firm couldn’t identify a motive for the attack, but it says the IP address of the miscreant computer is registered to a system inside IBM’s Durham facility. As part of the lawsuit, Butera & Andrews charge IBM with lax security procedures at the site where the alleged breach is said to be have been initiated.
IBM is refuting the allegations, filing a motion to have the lawsuit dismissed. According to IBM, the IP address identified in the suit belongs to Workforce.com, a web-based publication owned by Crain Communications. Butera & Andrews counters that the address belongs to IBM, even if Workforce is currently using it, and it says it has documents that corroborate its claims.
For IBM’s sake, Butera & Andrews had better be wrong. It obviously wouldn’t be good if malware and hacking were traced to Big Blue, even if the malefactor was one rogue employee with a twisted grudge or nothing better to do on a slow day at work.
Regardless of whether the allegations are true, IBM is likely to review security policies and procedures relating to outbound communication. The whole ugly affair might result in an interesting internal debate within IBM, pitting the principle of employee privacy against the business imperative of mitigating liability exposure resulting from illicit activities originating from with IBM’s administrative domain. In that debate, at least inside IBM, the latter would win.