Key Takeaways
- Former IBM vice‑president of threat intelligence William Barlow filed a whistle‑blower lawsuit in 2020 alleging that IBM and AT&T repeatedly suffered cyber intrusions by foreign‑government‑linked hackers and concealed those breaches from the U.S. government.
- The complaint claims the companies misrepresented the security of their systems to win and retain federal contracts, violating the False Claims Act.
- Alleged intrusions included Chinese‑state‑backed group APT 10, with internal investigations uncovering tens of thousands of potential hits and hundreds of compromised accounts across IBM’s global network.
- Barlow says he was pressured by senior management to soften internal reports, omit details, and even “dodge” questions from NSA officials about the attacks.
- The U.S. Department of Justice declined to intervene; the case remains pending in a New York federal court after being unsealed this spring.
- If proven, the allegations could expose billions of dollars of federal contracts to fraud penalties and raise serious concerns about the safeguarding of sensitive government data on contractor networks.
Background of the Whistle‑blower Suit
William Barlow, who served as IBM’s vice president of threat intelligence from 2017 to 2019, initiated the lawsuit under seal in 2020. He alleges that during his tenure he witnessed multiple security incidents affecting IBM’s core cloud infrastructure, which is heavily utilized by U.S. government agencies, including the military. Barlow’s complaint asserts that IBM and its partner AT&T failed to disclose these intrusions, thereby misleading federal officials about the true security posture of their networks.
Alleged Nature and Scope of the Intrusions
According to the suit, foreign hackers—some linked to the Chinese government—repeatedly penetrated IBM’s massive cloud environment and the AT&T‑operated “Core Network” that supports it. The attackers sometimes remained unidentified, and the companies could not determine what data was accessed, exfiltrated, altered, or modified. The complaint stresses that poor network design and inadequate logging prevented IBM and AT&T from fully assessing the breach impact.
Internal Evidence Cited by Barlow
Barlow points to internal IBM investigations that revealed more than 50,000 “potential APT 10 hits” between 2013 and 2016. A subsequent review in 2017 allegedly found attackers had accessed nearly 400 compromised accounts and almost 200 systems and servers across 18 countries, affecting every business unit. Because IBM reportedly did not retain sufficient access logs, further forensic analysis was impossible, leaving the full extent of the compromises unknown.
Claims of Concealment and Pressure on Employees
The lawsuit alleges that IBM senior executives actively directed Barlow and other staff to downplay or omit details from internal breach reports. Barlow claims he was instructed to soften findings and, in one instance, to “dodge” questions from NSA officials who were inquiring about the Chinese‑linked intrusions. These actions, according to the complaint, were intended to preserve the appearance of compliance with government contracting requirements.
Connections to Chinese State‑Sponsored Hacking
Barlow’s complaint ties some of the intrusions to the Chinese hacking group APT 10, which the U.S. Department of Justice charged in 2018 for stealing data from 100,000 Navy personnel over a decade. Intelligence agencies reportedly notified IBM that IP addresses associated with its network were communicating with infrastructure used by APT 10. Barlow asserts that the group used IBM’s networks as a conduit for the Navy data theft, a claim that, if substantiated, would illustrate a direct threat to national security.
Legal Framework: The False Claims Act
The suit is filed under the False Claims Act, which prohibits submitting false or fraudulent claims for payment to the U.S. government. Whistle‑blowers like Barlow can sue on behalf of the government and, if successful, receive a portion of any recovered damages—potentially up to three times the government’s loss. The act encourages insiders to report fraud that might otherwise go undetected, especially in high‑stakes areas such as defense contracting.
Procedural History and Government Non‑Intervention
Although filed in 2020, the case remained sealed until this spring, when a federal judge in New York ordered it unsealed after the U.S. Department of Justice declined to intervene. The government’s decision not to join the litigation does not reflect on the merits of the allegations; such determinations often take years and hinge on various strategic considerations. Barlow’s attorney, Jason T. Brown, emphasized that the Department’s non‑involvement leaves the whistle‑blower to pursue the case independently.
Potential Impacts on Federal Contractors
If the allegations are proven, IBM and AT&T could face substantial financial penalties, including treble damages under the False Claims Act, and may lose eligibility for future federal contracts. The case also raises broader questions about the cybersecurity hygiene of major government contractors and the adequacy of current disclosure requirements. Legislators and oversight bodies may use the outcome to advocate for stricter reporting standards and stronger enforcement mechanisms for contractors handling sensitive data.
Statements from the Parties Involved
IBM spokesperson Adam Pratt dismissed the lawsuit, stating that the company is confident its actions complied with the law and noting that the Department of Justice’s decision not to intervene underscores the lack of merit in the claims. AT&T did not respond to requests for comment, and the Chinese Embassy likewise declined to address the allegations. Barlow’s attorney reiterated that the whistle‑blower remains committed to “aggressively litigating” the matter, arguing that selling cybersecurity services to the federal government while allegedly harboring significant internal security flaws is contradictory and unlawful.
Conclusion
The Barlow lawsuit shines a spotlight on alleged systemic cybersecurity failures and concealment practices at two of the nation’s largest technology and telecommunications providers. While the legal proceedings are still pending, the case already serves as a cautionary tale about the importance of transparent breach reporting, robust incident‑response capabilities, and accountability for contractors entrusted with protecting government data. The outcome could reshape how federal agencies vet and monitor the security practices of their private‑sector partners.