A former senior cybersecurity executive at IBM has accused the technology giant and telecommunications company AT&T of concealing major cyber intrusions linked to foreign hackers while continuing to secure lucrative contracts with the United States government.
The allegations are detailed in a whistleblower lawsuit filed by William Barlow, IBM’s former Vice President of Threat Intelligence, who claims that both companies failed to disclose repeated cyberattacks affecting systems used by various federal agencies, including military organizations. The lawsuit, which was initially filed under seal in 2020 under the False Claims Act, was recently made public after the US Department of Justice declined to intervene in the case.
According to court documents, Barlow alleges that IBM and AT&T knowingly withheld information regarding significant cybersecurity incidents while continuing to assure government customers that their networks and systems remained secure. The lawsuit contends that the companies maintained federal contracts despite being aware of vulnerabilities and breaches within their infrastructure.
Barlow, who worked at IBM between 2017 and 2019, claims he personally observed multiple security incidents affecting the company’s core networks. He alleges that company executives pressured him to modify internal cybersecurity reports by minimizing the severity of breaches and excluding critical details. The complaint further states that senior leadership took deliberate measures to prevent regulators and government clients from learning the full extent of the cyber intrusions.
One of the central allegations in the lawsuit is that IBM’s network was targeted by foreign threat actors, including hackers allegedly linked to the Chinese government. The complaint specifically references APT10, a cyber espionage group that has previously been accused by US authorities of conducting cyberattacks against government agencies and private-sector organizations worldwide.
According to the lawsuit, intelligence agencies alerted IBM to suspicious communications between internet addresses associated with the company and infrastructure believed to be used by APT10. Internal investigations reportedly uncovered more than 50,000 potential indicators of compromise linked to the hacking group between 2013 and 2016.
The complaint further alleges that separate investigations revealed unauthorized access to nearly 400 compromised accounts and close to 200 systems and servers spanning 18 countries. Barlow argues that the scale of the intrusions was so extensive that the companies were unable to determine exactly what information had been accessed, altered, or potentially stolen.
In one of the lawsuit’s most serious claims, Barlow alleges that officials from the National Security Agency questioned him regarding suspected Chinese cyber activity. He says he was instructed by company leadership to avoid providing direct answers to those inquiries. However, the complaint does not identify the individuals who allegedly issued those instructions.
IBM has strongly rejected the allegations. In a statement, company spokesperson Adam Pratt emphasized that the lawsuit was filed several years ago and noted that the Department of Justice chose not to join the case.
“This complaint was filed six years ago, and the US Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law,” Pratt said.
AT&T has not publicly responded to the allegations or media requests for comment.
Barlow’s attorney, Jason T. Brown, described the case as involving billions of dollars in federal business conducted by IBM and AT&T. He argued that companies providing cybersecurity services to government agencies should be held accountable if they fail to disclose serious security issues within their own networks.
The lawsuit remains active in federal court in New York. While the Justice Department’s decision not to intervene does not determine the outcome of the case, the allegations have renewed scrutiny over cybersecurity transparency among major government contractors.
As legal proceedings continue, the case could have significant implications for how technology and telecommunications companies report cyber incidents to federal authorities and manage cybersecurity obligations tied to government contracts.
Also Read: IBM Unveils $5 Billion ‘Project Lightwell’ to Counter Rising AI-Powered Cyber Threats
Author: Shivam
Shivam Dwivedi is a senior journalist with extensive experience in research-driven journalism, policy communication, and multi-platform storytelling. His areas of interest include international relations, defence, science & technology, education, urban development, agriculture, spirituality, and environmental sustainability. His work focuses on in-depth analysis, public discourse, and impactful narratives across governance and development sectors, with a strong commitment to the Sustainable Development Goals (SDGs). Contact: [email protected]
