Ex-IBM Cybersecurity Chief Blows the Whistle on Alleged Cover-Up of Multiple Major Data Breaches
A former IBM cybersecurity executive claims the tech giant was hacked three times by foreign governments and deliberately concealed every breach from authorities.
Former IBM Executive Files Explosive Lawsuit Over Alleged Breach Cover-Ups
A former senior cybersecurity official at IBM has come forward with serious allegations, claiming the technology giant suffered multiple significant data breaches at the hands of foreign state actors during the mid-2010s — and then went to extraordinary lengths to hide them.
The lawsuit, which was originally filed in 2020 but only recently unsealed, was brought by William Barlow, who served as IBM's Vice President of Threat Intelligence until his departure in August 2019. Barlow contends that IBM was penetrated by Chinese government-backed hackers on multiple occasions and that company leadership chose to suppress this information rather than report it to the appropriate authorities.
What the Lawsuit Claims
According to the complaint, IBM's internal investigation determined that the Chinese state-affiliated hacking group known as APT 10 may have breached the company's core network more than 56,000 times between 2013 and 2016. APT 10 is a well-documented cyber espionage operation linked to the Chinese government. Former FBI Director Christopher Wray previously described the group's targets as a "Who's Who" of the global economy when its alleged members were formally indicted in 2018.
Barlow's complaint states that IBM's own network and data it managed in partnership with AT&T were both compromised during this campaign. The internal probe reportedly found that nearly 400 user accounts and approximately 200 systems and servers spanning 18 countries and multiple IBM product lines had been accessed or compromised.
Despite the staggering scale of the alleged intrusion, IBM reportedly failed to notify any government agencies — a particularly troubling omission given that IBM is one of the U.S. federal government's primary cybersecurity vendors.
The Five Eyes Warning
Barlow further alleges that in March 2017, intelligence agencies from the United States, United Kingdom, Canada, Australia, and New Zealand — collectively known as the Five Eyes alliance — directly warned IBM about the breach. This warning reportedly triggered an internal investigation, the findings of which IBM allegedly chose to bury.
Compounding the issue, the complaint notes that IBM's internal review was severely hampered because the company had not maintained basic access logs — a fundamental cybersecurity practice — making it impossible to fully determine the scope of the intrusion.
Two IBM Subsidiaries Also Allegedly Breached
Beyond its core network, Barlow claims two IBM-owned subsidiaries were also targeted and compromised:
- Trusteer — a cybersecurity startup IBM acquired in 2013, which Barlow alleges was breached in 2018.
- Truven — a healthcare data analytics company IBM purchased in 2016, which Barlow claims was breached on multiple occasions following the acquisition.
In both cases, Barlow accuses IBM of failing to conduct adequate investigations and neglecting to disclose the breaches to relevant parties.
IBM's Response
When approached for comment, IBM spokesperson Miki Carver declined to address the specific allegations raised in the lawsuit. In a statement provided to media, Carver said: "This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law."
The company has not publicly addressed the underlying cybersecurity claims in any further detail.
Why This Case Matters
While the breaches in question occurred over a decade ago, this case shines a harsh light on the broader issue of corporate transparency around cybersecurity incidents. Large enterprises — particularly those with significant government contracts — have historically been slow or altogether unwilling to disclose breaches, leaving clients, partners, and the public in the dark.
In recent years, legislators have responded by enacting stricter data breach notification laws designed to ensure timely and mandatory disclosure. However, this case illustrates just how significant the gap between legal obligation and corporate practice can be.
Jason Brown, the attorney representing Barlow, made the stakes clear: "You can't sell cybersecurity to the federal government while allegedly having these security problems within your own company." His firm has indicated it intends to pursue the case aggressively.
The lawsuit serves as a stark reminder that even the companies tasked with protecting others from cyber threats are not immune — and that accountability in the cybersecurity industry remains an ongoing challenge.
