What happened
IBM and AT&T were accused in a whistleblower lawsuit of concealing repeated breaches by foreign hackers and failing to disclose those intrusions to the U.S. government.
The complaint was filed by William Barlow, IBM’s former vice president of threat intelligence. It alleges that IBM and AT&T failed to disclose multiple breaches over several years by attackers linked to foreign governments and made false assurances about the security of their systems to win and keep federal contracts.
The lawsuit was filed under seal in 2020 and remains pending before a federal court in New York. It was made public this week after the U.S. government declined to intervene in the case. The government’s decision not to intervene does not indicate the merit of the complaint.
The complaint alleges that hackers breached IBM cloud computing infrastructure used by many parts of the U.S. government, including the military. AT&T operates the “Core Network” on behalf of IBM, and AT&T systems are part of that network, according to the complaint.
Barlow alleged that foreign and unidentified hackers repeatedly infiltrated the network and that IBM and AT&T sometimes could not determine who gained access or what was taken. The lawsuit also alleges that IBM downplayed or concealed incidents before entering government agreements that required the company to certify it had no significant unresolved cybersecurity issues.
IBM denied wrongdoing. A company spokesperson said the complaint was filed six years ago, noted that the Department of Justice declined to intervene, and said IBM is confident that its actions followed the law. AT&T did not respond to requests for comment.
The lawsuit alleges that Barlow personally witnessed numerous breaches of IBM’s core network and was pressured by executives to soften internal reports and omit details. He also alleged that IBM senior management actively took steps to cover up and conceal hacks from U.S. regulators and government clients.
Chinese government-backed hackers were allegedly involved in some of the breaches cited in the complaint. Barlow alleged that the Chinese hacking group APT 10 stole data from 100,000 U.S. Navy personnel by infiltrating IBM’s networks. The complaint also alleges that intelligence agencies told IBM that internet addresses associated with its network were connecting to APT 10 infrastructure.
An internal company investigation allegedly found more than 50,000 potential APT 10-related hits between 2013 and 2016. Another internal probe allegedly found that attackers had accessed nearly 400 compromised accounts and almost 200 systems and servers in 18 countries across every business unit. The lawsuit alleges that IBM could not investigate further because it did not keep access logs.
Who is affected
IBM and AT&T are directly affected by the allegations because the complaint accuses them of concealing cyber intrusions and making false assurances tied to federal contracts.
U.S. government agencies that used the allegedly breached IBM cloud infrastructure may also be affected, including military entities referenced in the complaint. The lawsuit raises questions about whether sensitive government information may have been exposed, accessed, altered, or taken, though it also alleges that the companies sometimes could not determine what had happened because of poor network design and missing access logs.
Federal contractors and organizations that provide cloud, telecommunications, or managed infrastructure services to government clients are also affected by the broader implications. The complaint focuses on whether companies can continue to sell cybersecurity and infrastructure services to the government while allegedly failing to disclose serious unresolved security issues.
Why CISOs should care
This case highlights the legal and governance risk of concealing or downplaying cyber incidents, especially for organizations doing business with the government. The allegations are not only about the breaches themselves. They are also about whether IBM and AT&T failed to disclose those breaches while making security assurances connected to federal contracts.
For CISOs, the complaint reinforces the importance of accurate internal reporting. Barlow alleged that he was pressured to soften reports and omit details. If true, that kind of pressure can undermine incident response, executive decision-making, legal disclosure obligations, and customer trust.
The logging issue is also important. The lawsuit alleges that IBM could not fully investigate some activity because it did not keep access logs. Without sufficient logs, organizations may be unable to determine who accessed systems, what data was affected, whether data was exfiltrated, or whether attackers remain inside the environment.
The case also shows how cyber incidents involving government contractors can become False Claims Act matters. If security representations are tied to federal payments or contracts, inaccurate assurances may create legal exposure far beyond the technical incident.
3 practical actions
- Preserve accurate incident records and resist pressure to soften findings: The complaint alleges that internal reports were softened and details were omitted. CISOs should ensure that incident reports clearly document what is known, what is unknown, what evidence supports each conclusion, and which risks remain unresolved.
- Validate cybersecurity claims before certifying contract compliance: The lawsuit alleges that IBM made false assurances about the security of its systems to win and keep federal contracts. Organizations that sell to government clients should review security certifications, contract representations, and unresolved incidents before making compliance statements.
- Maintain logs needed to investigate foreign intrusion activity: The complaint alleges that IBM could not further investigate some activity because it did not keep access logs. CISOs should confirm that critical cloud, network, identity, and administrative systems retain logs long enough to support breach investigations, regulatory inquiries, and customer disclosure decisions.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.