[dx87]

What should the companies have done to protect themselves against the state sponsored attack? The article doesn't say how they were compromised, so what "reasonable measures" didn't they take to mitigate being targeted by a powerful nation?

[excalibur]

This is a fair point. Many of these large data breaches are revealed to be the result of negligence on the company's part (and often the company faces few to no consequences beyond public shaming). But in this particular case we simply don't have enough information yet to make that type of claim.

[A2017U1]

Taken from another commenter:

> according to the indictment, it was a few spearphishing emails with .docs attached, followed by keylogger and other malware installation.

Junior Sysadmins straight out of a bootcamp can negate that.

[dnbgfher]

Sure, maybe this was something beyond what could be reasonably prevented by a non-state. I don't think we know yet.

But they have a duty after the fact as well, to ensure the damage is minimized. That includes actually telling those potentially impacted what is known, etc.

[ineedasername]

This is true. It starts with China, it's their fault, but if your customers are compromised as a result they need know to protect themselves, or it spreads like a virus.

IBM is not to blame for the initial attack. But any further attacks that result from their silence can have a good share of blame laid at their feet.