William Barlow once held a senior role shaping IBM’s view of the world’s most sophisticated cyber threats. As vice president of threat intelligence, he advised the company on dangers ranging from state-sponsored actors to criminal syndicates. He left in 2019. Now he accuses his former employer of something more troubling than any external attack: deliberate concealment of repeated breaches that struck at the heart of its own infrastructure and its work for the U.S. government.
The claims surfaced in a lawsuit filed under seal in 2020 and unsealed this week. Barlow alleges that IBM and partner AT&T suffered multiple intrusions by foreign government-linked hackers yet failed to notify regulators or federal clients as required by law. Instead, the suit says, executives took active steps to hide the extent of the damage while continuing to assure Washington that their systems remained secure. The stakes run high. IBM and AT&T hold billions of dollars in contracts to protect some of the government’s most sensitive networks.
According to the complaint, the trouble began years earlier. In March 2017 officials from the Five Eyes intelligence alliance warned IBM about activity tied to APT 10, a Chinese hacking group later indicted by the U.S. Department of Justice. An internal investigation followed. It found more than 56,000 potential APT 10 intrusions between 2013 and 2016. Attackers had reached nearly 400 compromised accounts and almost 200 systems and servers. The breaches spanned every IBM business unit, 18 countries and multiple products. TechCrunch reported.
But the company’s core network, shared in part with AT&T, was archaic. Hackers could roam almost anywhere undetected. The lawsuit states the breaches were so large and the networks so poorly designed that neither IBM nor AT&T knew exactly what data was taken, who took it, or whether information had been altered. Logs were missing. Full damage assessments proved impossible. And yet, the suit alleges, IBM never disclosed these incidents to U.S. authorities.
Barlow says he witnessed the breaches firsthand. Senior management pressured him to downplay findings in internal reports. In one instance he was told to dodge questions from National Security Agency officials about the China-linked activity. The complaint describes specific cases in which IBM executives “actively took steps to cover up and conceal” the hacks from regulators and government clients. Fortune detailed those allegations.
The pattern allegedly extended beyond the core network. After IBM acquired security firm Trusteer in 2013, that unit suffered a breach in 2018 that went unreported. Truven Health Analytics, bought in 2016 for $2.6 billion, faced multiple intrusions post-acquisition. Again, the company failed to investigate thoroughly or notify authorities, according to Barlow. The former executive argues these omissions allowed IBM to keep winning and retaining federal work under false pretenses.
Such behavior, if proven, would violate federal contracting rules that demand prompt disclosure of significant cybersecurity incidents. The government remains one of IBM’s largest customers. It relies on the company for cloud services, threat detection and broader digital modernization. Selling cybersecurity solutions while allegedly hiding one’s own compromises strikes at the foundation of trust. Barlow’s attorney, Jason T. Brown, put it plainly. “You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company.”
IBM pushes back. Spokesperson Miki Carver, also identified in some reports as Adam Pratt, issued a short statement. “This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.” The Justice Department chose not to join the case, a common outcome in False Claims Act suits, yet the whistleblower may still pursue it independently. The matter now sits before a federal judge in New York. AT&T has not commented publicly.
These revelations arrive at a delicate moment for the industry. IBM itself publishes an annual Cost of a Data Breach Report that highlights rising expenses, longer detection times in some sectors and the growing risks tied to artificial intelligence systems. The 2025 edition, released recently, notes that many organizations still lack formal governance for AI deployments even as they race to adopt the technology. Yet the Barlow lawsuit suggests that even a company positioned as an authority on these risks may have struggled with basic visibility and transparency inside its own environment. IBM’s own report underscores how breaches can cost millions while eroding confidence.
Observers inside cybersecurity circles have reacted with a mix of surprise and weary recognition. Foreign intelligence services target technology providers precisely because they sit at the intersection of so many valuable data flows. Chinese actors in particular have long focused on cloud providers and managed service companies. The 2018 indictment of APT 10 members described them as part of a campaign that hit a who’s who of the global economy. Barlow’s suit claims some of that activity routed through IBM networks to reach U.S. Navy data, among other targets.
But the most damaging element may not be the intrusions themselves. It is the alleged response. Executives who minimize findings. Reports softened to protect contracts. Questions from intelligence partners sidestepped. These choices, if substantiated, point to a culture that placed business continuity above disclosure obligations. And they raise uncomfortable questions for every enterprise that depends on third-party providers to safeguard critical systems.
The lawsuit also touches on broader tensions between commercial incentives and national security expectations. Federal agencies expect vendors to report incidents quickly under frameworks such as the Cyber Incident Reporting for Critical Infrastructure Act and longstanding contract clauses. When those reports never arrive, agencies operate with incomplete pictures of the threat environment. They may continue routing sensitive workloads through networks whose true condition remains unknown.
Barlow’s departure from IBM came in August 2019. He has since spoken at conferences and maintained a public profile in cybersecurity circles. In one earlier interview with The New York Times he described IBM’s innovative approach to employee training, including mobile cyber ranges housed in semitrailer trucks. That image of forward-looking defense contrasts sharply with the picture drawn in his legal complaint.
So what happens next? The case will likely turn on internal documents, emails and testimony that illuminate exactly what executives knew and when. If Barlow can produce the evidence he claims to hold, the financial and reputational consequences for IBM could prove substantial. Penalties under the False Claims Act can reach triple the amount of any improper payments received. Settlements in similar technology contracting disputes have run into the hundreds of millions.
Even without a final verdict, the unsealing itself delivers a blow. It reminds boards, chief information security officers and procurement officials that trust in a vendor’s security posture must be verified, not assumed. It also spotlights the difficult position faced by whistleblowers who challenge powerful employers in highly regulated fields. Barlow waited years for this moment. His allegations now sit in the open, backed by what he describes as firsthand knowledge and internal records.
Industry professionals have watched similar stories unfold before. Uber paid a significant price for its handling of a 2016 breach. Other firms have faced SEC scrutiny for delayed disclosures. Yet few cases involve a major government contractor accused of hiding state-level intrusions over several years while actively bidding for more sensitive work. The Barlow suit stands out for its scope, its specificity and its source.
IBM continues to position itself as a leader in enterprise security and AI-driven defense. Its researchers publish regularly on threat trends. Its platforms promise visibility and rapid response. The company will now have to defend those claims not only in the marketplace but inside a courtroom. For its part, the government must decide whether to revisit contracts, demand fresh audits or simply monitor the litigation from a distance.
One fact remains clear. The incidents described occurred during a period when APT 10 and similar groups were aggressively mapping Western technology supply chains. Many organizations improved their defenses afterward. Yet the gap between public assurances and private realities can persist longer than outsiders realize. Barlow’s complaint pulls back the curtain on one such gap. Whether it reveals an isolated failure or a deeper systemic issue is a question the evidence will ultimately answer.
The timing adds another layer. Recent coverage has highlighted how AI adoption often outpaces governance, leaving new attack surfaces exposed. IBM’s own data shows that many breached organizations still operate without mature policies for shadow AI or unsanctioned tools. Against that backdrop, a story about an established player allegedly failing to disclose foundational network compromises lands with particular force. It suggests that even companies that study these problems intensely can fall short when the breach strikes home.
Barlow alleges the core problem was not ignorance but choice. Management knew enough to understand the severity yet chose paths that protected revenue and reputation over transparency. That assertion, more than the technical details of any single intrusion, will test IBM’s credibility in the months ahead. Federal customers, cybersecurity peers and the broader market are paying attention.
WebProNews is an iEntry Publication