Whistleblower Alleges Decade-Long IBM Breach and Cover-Up in Unsealed Lawsuit
Former IBM threat-intel VP alleges IBM breach by APT10 from 2013-2016 and a company cover-up; unsealed 2020 lawsuit renews scrutiny of disclosure and secrecy
A former IBM senior security executive has filed a lawsuit alleging an IBM breach campaign by foreign state-linked hackers and a subsequent company cover-up. William Barlow, who served as IBM’s vice president of threat intelligence until August 2019, says the complaint—filed in 2020 and unsealed this week—details extensive intrusions of IBM’s core network between 2013 and 2016. The complaint asserts that the intrusions involved APT10 and that IBM and some of its subsidiaries failed to notify customers or government authorities. The renewed public attention raises questions about incident disclosure and oversight at a major federal contractor.
Whistleblower lawsuit details
Barlow’s complaint accuses IBM of repeatedly concealing breaches discovered during his tenure and of failing to conduct or complete proper investigations into the incidents. He alleges the company concluded that Chinese-linked hackers penetrated its core systems multiple times but did not disclose those results to affected parties. The filing, which was unsealed after several years under seal, was first reported in national outlets and has prompted responses from legal counsel representing Barlow. His attorney has signaled plans to press the matter in court.
Scope and alleged APT10 intrusions
According to the complaint, internal probes found that intruders associated with APT10 accessed IBM systems thousands of times over several years. The filing claims investigators identified tens of thousands of incidents between 2013 and 2016, and that attackers accessed hundreds of accounts and scores of servers across multiple business units. Barlow’s filing says IBM’s core network log retention was inadequate, limiting the company’s ability to map attacker activity comprehensively. If accurate, the allegations describe a prolonged campaign with broad reach inside IBM’s infrastructure.
Five Eyes warning and internal findings
Barlow maintains that the so-called Five Eyes intelligence alliance—Australia, Canada, New Zealand, the United Kingdom and the United States—warned IBM of the intrusions in March 2017, prompting an internal investigation. That inquiry, the complaint says, concluded the intrusions were pervasive and identified specific compromised systems, yet stopped short of public or regulatory notification. The lawsuit highlights a reported gap between intelligence warnings and vendor disclosure practices, and it questions whether full remediation took place after the reported findings. The claim that government partners raised alarm adds a geopolitical dimension to the dispute.
Claims concerning Trusteer and Truven
The complaint extends beyond IBM’s corporate network to allege breaches at subsidiaries acquired by the company. Barlow asserts that Trusteer, a security startup IBM bought in 2013, suffered a breach in 2018, and that Truven, a health data company acquired in 2016, experienced multiple incursions after acquisition. He argues that IBM failed to properly investigate or disclose those incidents to stakeholders and regulators. These subsidiary-related claims underscore the legal and compliance complexities that can attend large-scale corporate acquisitions.
IBM’s public response and DOJ note
IBM has declined to answer detailed questions about the specific allegations, with a company spokesperson noting the complaint was filed years ago and that the U.S. Department of Justice declined to intervene. The company’s statement emphasized confidence that its actions complied with legal requirements. Legal representatives for the whistleblower have pushed back, saying an entity selling cybersecurity services to government clients must meet higher standards of transparency and internal security hygiene. The dispute frames a legal contest over what constitutes adequate disclosure and what obligations vendors owe to customers and regulators.
Potential impact on government contracts and disclosure practice
The allegations carry potential ramifications for IBM’s work with federal agencies, given the company’s role as a cybersecurity provider to the U.S. government. Critics argue that vendors entrusted with sensitive government systems must demonstrate rigorous logging, incident response, and timely notification when breaches occur. In recent years, lawmakers and regulators have tightened breach-disclosure expectations, and the lawsuit could revive scrutiny over how and when incidents are reported. The case may also prompt federal buyers to re-evaluate security requirements in procurement and post-acquisition oversight.
The unsealed complaint and subsequent media coverage have revived questions about longstanding security practices at a major technology supplier and the adequacy of controls meant to detect and document intrusions. As the lawsuit moves forward, courts will weigh the factual claims against the company’s representations and any evidence produced in discovery. For customers, regulators and lawmakers, the case underscores the persistent challenge of ensuring accountability and transparency in cybersecurity for companies that operate at the heart of critical networks.
