Former IBM Cybersecurity Executive accuses company of concealing multiple data breaches

A newly unsealed whistleblower lawsuit has levelled explosive allegations against International Business Machines Corp. (IBM) and AT&T Inc., claiming the corporate giants concealed a series of massive cyberattacks by foreign state-sponsored hackers while certifying their systems were secure to secure lucrative U.S. government contracts. The legal complaint, originally filed under seal in 2020 in a New York federal court, was made public following a judge's order after the U.S. Department of Justice declined to formally intervene in the case.

The lawsuit was brought forward by William Barlow, who served as IBM’s Vice President of Threat Intelligence until August 2019. Barlow alleges that IBM and AT&T repeatedly violated the False Claims Act by covering up intrusions into their shared infrastructure, frequently referred to as the "Core Network", which supports massive cloud environments utilized by the U.S. military and various federal agencies.

The 56,000-hit Chinese hacking campaign

The core of the lawsuit details a staggering security failure involving APT 10, a notorious hacking group closely linked to the Chinese government. According to the complaint, the multi-year infiltration came to light in March 2017 after intelligence officials from the "Five Eyes" alliance, comprising the United States, United Kingdom, Canada, Australia, and New Zealand, warned IBM that its internet addresses were actively communicating with known Chinese cyber-espionage infrastructure.

The warning prompted an internal investigation that uncovered an overwhelming breach. IBM’s own probes allegedly identified more than 56,000 potential "hits" from APT 10 between 2013 and 2016. A subsequent internal report cited in the lawsuit revealed that the attackers had compromised nearly 400 user accounts and infiltrated almost 200 distinct systems and servers.

The breach actively spanned 18 countries, bleeding into every single one of IBM’s business units and compromising data managed in partnership with AT&T.

Executive pressure and alleged cover-ups

Barlow claims he personally witnessed multiple network intrusions and was subsequently pressured by high-ranking executives to soften internal technical reports, deliberately omitting critical details. Furthermore, the suit alleges that when officials from the National Security Agency (NSA) questioned Barlow directly about the Chinese intrusions, he was explicitly instructed by superiors to "dodge" the inquiries.

The whistleblowing executive also points to systemic failures beyond IBM’s core systems. He alleges that multiple subsidiaries acquired by IBM, including the cybersecurity startup Trusteer (acquired in 2013) and the health data firm Truven (acquired in 2016 for $2.6 billion), suffered separate, severe data breaches that IBM executives actively chose to downplay or hide from regulators and public markets.

By concealing these active vulnerabilities, the lawsuit argues that both IBM and AT&T were able to falsely certify to the federal government that they had no significant, unresolved cybersecurity issues. These clean bills of health allowed them to maintain compliant status and secure billions of dollars in taxpayer-funded tech infrastructure contracts.

Corporate responses and legal next steps

In response to the unsealing of the records, IBM has dismissed the merit of the legal claims. Company spokesperson Miki Carver stated that the complaint is several years old and emphasized that the Department of Justice looked into the matter and chose not to join the litigation. Carver added that IBM remains entirely confident that its actions and reporting mechanisms followed the letter of the law.

Representatives for AT&T have not yet provided a detailed comment on the active allegations. Legal counsel representing Barlow confirmed they intend to aggressively pursue the case in federal court, pointing out the inherent contradiction of marketing elite cybersecurity services to federal defense agencies while allegedly harboring hidden, severe vulnerabilities within their own corporate networks.