Whistleblower alleges IBM hid repeated Chinese breaches from U.S. government

IBM is facing a whistleblower test that goes beyond a single breach allegation: whether a major federal contractor concealed repeated cyber intrusions while certifying its systems were secure enough for government work. A former company cybersecurity executive says IBM and AT&T hid foreign hacks from U.S. officials, in a case that remained under seal after being filed in 2020 and was made public only after the Justice Department declined to intervene.

The whistleblower, William Barlow, is IBM’s former vice president of threat intelligence. Barlow worked at IBM in two stints beginning in 2002 and held the threat-intelligence role from 2017 until his resignation in 2019. His complaint alleges that IBM’s core network was breached by Chinese hackers between 2013 and 2016, with the company concluding the intruders may have penetrated the network more than 56,000 times. The filing also alleges that at least two IBM subsidiaries were breached and that IBM covered up those incidents as well.

The case matters because the networks at issue were not ordinary corporate systems. The lawsuit says IBM and AT&T operated a “Core Network” that supported IBM cloud computing infrastructure used by parts of the U.S. government, including the military. Barlow’s complaint says IBM at times could not determine who got in or what was taken, yet still downplayed or concealed the incidents before entering government agreements that required it to certify it had no significant unresolved cybersecurity issues. For a company that sells cybersecurity services and maintains government contracts, the alleged gap between internal knowledge and external disclosure goes to the heart of federal accountability rules.

IBM pushed back. Adam Pratt, a company spokesperson, said, “This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene,” and added that “IBM is confident that our actions followed the letter of the law.” AT&T did not respond to requests for comment. The complaint remains pending in federal court in New York.

The alleged campaign is tied to APT10, a Chinese state-linked hacking group that the FBI and Justice Department said in 2018 stole hundreds of gigabytes of sensitive data from companies around the world. FBI Director Christopher Wray later described the victim list as a “Who’s Who” of the global economy. Barlow’s allegations land in a broader policy fight over disclosure failures, logging gaps and the obligations of large contractors that can quietly absorb cyber damage while continuing to serve government customers.