IBM and AT&T allegedly hid foreign hacks from Washington

A former IBM cybersecurity executive is accusing IBM and AT&T of something no federal contractor wants in the headline: hiding foreign hacks from the US government. William Barlow, IBM’s former vice president of threat intelligence, says the companies were repeatedly breached by attackers linked to foreign governments and then concealed those intrusions while still seeking and keeping government business. The complaint, filed under seal in 2020 and made public this week after the US government declined to intervene, is still pending in federal court in New York.

The alleged exposure is not small. The lawsuit says the hackers breached IBM’s massive cloud computing infrastructure, which is widely used by many parts of the US government, including the military. AT&T operates the “Core Network” on behalf of IBM, and the Dallas-based telecom company’s systems are part of it, according to the complaint. That matters because this is not just a company-security story, it is a federal supply-chain story. If a contractor’s internal network is the highway for government data, then every undocumented intrusion raises the same ugly question: who got in, what did they take, and who knew when.

According to the complaint, IBM and AT&T did not just suffer breaches, they allegedly failed to disclose multiple breaches over years and made false assurances about system security to win and keep federal contracts. Barlow claims he personally witnessed numerous breaches of IBM’s core network and was pressured by executives to soften internal reports and omit details. He also alleges IBM senior management “actively took steps to cover up and conceal” hacks from US regulators and government clients. The filing says the companies sometimes could not determine who got in, or what was taken, because the network design and logging were so poor. In the complaint’s words, “The data breaches are so large and the core networks so poorly designed that neither IBM nor AT&T knows exactly what data was breached, who breached the data, where the data was breached or whether any data was exfiltrated, altered and/or modified in any respect.”

That uncertainty is exactly why this case is so combustible. Federal contractors do not just sell technology, they sell confidence. And under the False Claims Act, that confidence can become a legal obligation if a company certifies to the government that it has no significant unresolved cybersecurity issues. Barlow alleges IBM downplayed or concealed incidents before entering those agreements. The law at issue also matters because it lets private whistleblowers sue for alleged fraud against the government, and, if the government intervenes or damages are recovered, the case can produce large financial consequences. The complaint’s attorney, Jason T. Brown, said the allegations implicate billions of dollars of federal business with AT&T and IBM, and added: “You can’t sell cybersecurity to the federal government while allegedly having these security problem within your own company.” Brown also said, “We’re looking forward to aggressively litigating the matter.”

The complaint reaches beyond generic cyber risk and into geopolitics. It says Chinese government-backed hackers were allegedly involved in some of the breaches cited in the suit. In 2018, the US Department of Justice charged two alleged members of a Chinese hacking group that it said had waged a decade-long campaign to steal the data of 100,000 US Navy personnel. Barlow says that group, known as APT 10, carried out that theft by infiltrating IBM’s networks. The suit says intelligence agencies told IBM that internet addresses associated with its network were connecting to infrastructure used by APT 10, and that an internal company investigation found more than 50,000 “potential APT 10 hits” between 2013 and 2016. Another internal probe allegedly found attackers had accessed nearly 400 compromised accounts and almost 200 total systems and servers in 18 countries, across every business unit, in the following year. But because the company did not keep access logs, the suit says there was nothing further it could do to investigate.

IBM is not accepting the allegation. Spokesperson Adam Pratt said, “This complaint was filed six years ago, and the US Department of Justice declined to intervene.” He added, “IBM is confident that our actions followed the letter of the law.” AT&T did not respond to requests for comment. The Chinese Embassy in Washington also did not respond. The National Security Agency asked Barlow questions about the alleged hacks from China, according to the suit, but he says he was told to “dodge” them. The complaint does not say who gave that instruction. Barlow’s attorney said he did not know what motivated the government’s decision not to intervene, and noted that such decisions can take years and do not necessarily reflect the merit of a complaint. A federal judge in New York ordered the suit unsealed this spring after the government declined to intervene, and the court records do not explain that decision.

For executives and boards, the bigger lesson is that cyber risk is no longer just about intrusion detection. It is about disclosure discipline, recordkeeping, contractual certifications, and whether your security story can survive regulatory scrutiny years later. Barlow worked at IBM in two stints beginning in 2002, including as vice president of threat intelligence from 2017 until his resignation in 2019, and has remained visible in the security world since leaving the Armonk, New York-based company. That background gives the complaint an insider edge, but the broader takeaway is what should make every contractor uneasy: in government business, the cost of a breach can be multiplied by the cost of saying the wrong thing, or nothing at all, when the government asks what happened.