IBM will pay the US government $900,000 to settle an 11-year-old case regarding National Defense University (NDU) hacking attempts between 2006 and 2009.

The US Defense Department's Inspector General revealed the settlement, first reported by Bloomberg, which happened on October 9, 2019. IBM provided IT services for the university, including security.

The Pentagon, 2008
– Wikimedia Commons/David B. Gleason

Reports and court docs

In 2003, IBM was contracted to provide IT services to NDU, a military college funded by the DoD and based out of Fort McNair, Washington D.C.

"IBM submitted false claims for the information technology services that it provided NDU," the report says. "IBM allegedly did not fulfill its contractual obligations to provide substantial network security services. IBM also allegedly employed unqualified personnel to carry out its contract with NDU."

According to court documents from the Armed Services Board of Contract Appeals, the NDU was subjected to six attacks between 2006 and 2009.

Ultimately, eight computers were accessed and 367 files were stolen from the NDU, as part of a larger scale operation that hit multiple educational institutions.

The US government made a claim for around $6m in alleged overcharges by IBM. By March 2013, this figure increased to $9m.

The official allegations by the government submitted to the court said that its investigation "revealed that IBM personnel did not have the appropriate subject matter expertise, and were not qualified to execute the IT security-related tasks to properly plan, test, and conduct specific tasks of IT security, as required in the subject Task Order.

"In addition, IBM failed to develop, test, and execute a proper network security incident response plan."

IBM logo
– Youtube/IBM

Dismissal denied

IBM filed a motion to dismiss the case, saying there were no contractual obligations surrounding "labor discharging." The allegations did not identify any 'contractual provision' for particular tasks or specific 'staff,' the company said,

This motion was denied in March 2018 by the Administrative Judge of the Armed Services Board, Kenneth D. Woodrow.

According to the ruling, the issue was that the individuals contracted to do the job failed to 'meet contractual specifications,' so the allegations could not be dismissed.

"We read the labor mischarging allegations in the complaint more broadly; as alleging both that appellant overcharged for tasks performed by certain individuals and that certain individuals did not perform the minimum required elements of the task order," the written conclusion said.

The same ruling also notes that the complaints by the government could have been more specific 'in terms of identifying alleged violations of contractual terms.'