IBM investigates claims of alleged customer data breach posted on cybercrime forum

IBM, the multinational technology and consulting company, has launched an investigation into claims that customer data linked to its systems is being offered for sale on a cybercrime forum, following the appearance of an alleged breach listing that purports to contain information on approximately 681,000 records.

The listing surfaced on a prominent underground forum, where a threat actor claimed to have breached IBM systems and exfiltrated customer data. The seller alleged that the dataset contains personally identifiable information and is available for purchase.

IBM confirmed it is aware of the claims and has begun investigating the matter.

The alleged breach has drawn skepticism from cybersecurity researchers due to the lack of supporting evidence. The threat actor did not publish any sample records to validate the claims and instead shared only a list of purported database field names.

Researchers examining the listing found several inconsistencies that raise questions about its authenticity. The structure of the alleged data does not appear to match the types of information typically associated with IBM’s services, which are primarily focused on enterprise customers rather than direct consumer offerings.

IBM Cloud accounts generally contain limited account and billing information, including payment methods, addresses and tax-related identifiers. The listing, however, references additional location coordinate data alongside personal information, an unusual combination that researchers said does not align with standard account structures.

Researchers noted that if the data originated from login activity records, additional account-related details such as email addresses or device information would typically be present. The absence of such information, combined with the lack of sample records, has weakened confidence in the claims.

Cybersecurity analysts said similar listings frequently appear on underground forums, where threat actors use the names of major corporations to attract attention and increase the perceived value of datasets. Such posts may be intended to build reputation within cybercriminal communities or to persuade buyers to purchase recycled, outdated or fabricated information.

The individual behind the IBM listing has reportedly been active on the forum since 2017 and has published numerous similar posts over the years. Many of those listings have followed a comparable pattern, featuring large record-count claims and references to prominent institutions without providing substantial evidence to support the allegations.

While the credibility of the latest claims remains uncertain, IBM has previously been affected by cybersecurity incidents. In April 2026, Sistemi Informativi, an IBM Italy subsidiary that provides information technology infrastructure for Italian public administration agencies, was compromised in an intrusion attributed to the Chinese-linked threat group Salt Typhoon. IBM acknowledged the incident and restored affected services, although the full extent of any data exposure has not been disclosed.

IBM has also reported prior security incidents involving healthcare data. In one case, an unauthorized party gained access to a patient database managed by IBM for the Janssen CarePath platform, operated by Johnson & Johnson subsidiary Janssen. The company was also among the organizations affected by the MOVEit file transfer attacks carried out by the Cl0p ransomware group. That campaign exposed personal information associated with approximately four million U.S. patients whose health records were managed by IBM.

IBM has not disclosed any evidence confirming the authenticity of the latest claims, and the investigation remains ongoing.