Whistleblower Alleges IBM Orchestrated a Systematic Cover-Up of State-Sponsored Cyber Intrusions

A former senior cybersecurity executive at IBM has alleged that the company orchestrated a systematic cover-up of multiple data breaches perpetrated by foreign state actors. William Barlow, who served as IBM's vice president of threat intelligence until his departure in August 2019, filed a lawsuit in 2020 that was unsealed this week. The complaint contends that Chinese hackers infiltrated IBM's core network between 2013 and 2016, yet the company neither disclosed the breaches to the public nor notified relevant government agencies. Barlow further asserts that at least two IBM subsidiaries were similarly compromised and that these incidents were also concealed. Trusteer, a cybersecurity startup acquired by IBM in 2013, was breached in 2018, while Truven, a healthcare data startup acquired in 2016, experienced multiple breaches post-acquisition. Barlow maintains that IBM failed to conduct proper investigations or disclosures for any of these breaches. IBM's spokesperson, Miki Carver, declined to address specific allegations, stating instead that the U.S. Department of Justice had declined to intervene and that IBM was confident it had adhered to the law. The hackers are purportedly linked to APT 10, a group associated with the Chinese government, whose members were indicted by the FBI in 2018. According to the complaint, the hackers infiltrated IBM's network and also accessed data maintained in collaboration with AT&T. In March 2017, intelligence officials from the Five Eyes alliance—comprising Australia, Canada, New Zealand, the United Kingdom, and the United States—warned IBM of the intrusion, prompting an internal investigation. That investigation concluded that APT 10 had potentially breached IBM's network more than 56,000 times. Crucially, however, further forensic analysis was precluded because IBM had failed to retain logs of network access—a fundamental security protocol. The complaint also reveals that four servers were compromised and that nearly 400 accounts and almost 200 systems across every IBM business unit, spanning 18 countries, had been accessed. Jason Brown, Barlow's counsel, stated that his firm intends to litigate the matter aggressively. Brown posited that it is inherently contradictory for a company to market cybersecurity solutions to the federal government while harboring such vulnerabilities internally. This case underscores the persistent challenge of ensuring corporate accountability, particularly when data breach notification laws, though increasingly prevalent, may be circumvented.