A former IBM cybersecurity executive has accused the company of covering up several data breaches allegedly linked to foreign government hackers, bringing renewed scrutiny to how major technology companies handle cyber incidents involving sensitive networks and government customers.
The allegations were made by William Barlow, who served as IBM’s vice president of threat intelligence until August 2019. The claims appeared in a lawsuit filed in 2020 and unsealed this week.
Barlow alleged that IBM was hacked three times in the previous decade by foreign governments and later covered up the incidents. He also claimed that Chinese hackers breached IBM’s core network between 2013 and 2016, and that the company never disclosed the breaches after reaching internal conclusions about the intrusions.
Lawsuit points to alleged APT10 activity
The complaint focused heavily on APT10, a Chinese government-linked hacking group.
TechCrunch reported that then-FBI Director Christopher Wray previously said APT10 had targeted a “Who’s Who” of the global economy when members of the group were indicted in 2018.
Barlow alleged that intelligence officials from Australia, Canada, New Zealand, the United States, and the United Kingdom — known as the Five Eyes alliance — warned IBM in March 2017 about the breach. That warning reportedly prompted an internal company investigation.
IBM’s investigation concluded that APT10 potentially breached the company’s network more than 56,000 times between 2013 and 2016.
The complaint also alleged that IBM could not investigate further because it had not kept logs showing who accessed its network and when. For cybersecurity teams, access logs are critical because they help determine how attackers entered a system, what data they reached, and whether they remained inside the network undetected.
Hundreds of accounts and systems allegedly affected
The lawsuit also cited an internal IBM report claiming that attackers compromised or accessed nearly 400 accounts and almost 200 systems and servers. The alleged affected systems reportedly spanned every IBM business unit, 18 countries, and multiple IBM products.
Bloomberg shared that Barlow further claimed that hackers accessed both IBM’s own network and data the company maintained in partnership with AT&T.
The accusations are especially significant because IBM is not only a major enterprise technology company but also a cybersecurity vendor to the U.S. federal government. If a vendor serving government agencies experiences a breach, disclosure and investigation become central concerns because the impact may go beyond the company’s internal systems.
IBM says Justice Department declined to intervene
IBM pushed back on the claims. IBM spokesperson Miki Carver told TechCrunch that the complaint was filed six years ago and that the U.S. Department of Justice declined to intervene.
Carver also said IBM is confident that its actions followed the letter of the law. The company did not answer TechCrunch’s specific questions about the lawsuit and the underlying allegations.
Barlow’s lawyer, Jason Brown, shared that his firm is looking forward to aggressively litigating the matter. Brown also argued that a company cannot sell cybersecurity to the federal government while allegedly having serious security problems inside its own operations.
Subsidiaries also named in complaint
The lawsuit also alleged breaches involving two IBM subsidiaries: Trusteer, a cybersecurity startup IBM acquired in 2013, and Truven, a healthcare data company IBM acquired in 2016. Barlow claimed Trusteer was breached in 2018 and that Truven was breached multiple times after IBM acquired it.
In both cases, Barlow accused IBM of failing to properly investigate and disclose the incidents.
The lawsuit now places IBM’s internal cybersecurity practices under closer public attention. While the claims remain allegations, the case highlights a broader issue in the technology industry: major breaches may remain undisclosed for years, especially when companies control the evidence, internal investigation process, and public reporting timeline.
