The Accusation

William Barlow was IBM's Vice President of Threat Intelligence until August 2019. He spent years inside IBM's security apparatus. Now he's a whistleblower.

In a lawsuit unsealed this week — originally filed in 2020 — Barlow alleges IBM knew its core network was breached by Chinese government-linked hackers multiple times between 2013 and 2016, and then deliberately covered it up. According to TechCrunch's reporting by Lorenzo Franceschi-Bicchierai, Barlow claims IBM also concealed breaches at at least two subsidiaries.

His words in the complaint: IBM's core network was "routinely hacked by foreign state actors and others" and "data was frequently stolen and government agencies were never notified."

The Hacking Group Behind It

The alleged culprit is APT 10 — a Chinese government-affiliated cyberespionage group. This isn't some random hacker collective. When APT 10 members were federally indicted in 2018, then-FBI Director Christopher Wray said they had targeted a "Who's Who of the global economy."

Barlow's complaint says APT 10 potentially breached IBM's network more than 56,000 times between 2013 and 2016. That's 56,000 separate incidents, not 56.

The breach also extended to data IBM maintained in partnership with AT&T.

The Five Eyes Warning IBM Allegedly Ignored

In March 2017, intelligence agencies from the United States, United Kingdom, Australia, Canada, and New Zealand — the Five Eyes alliance — reportedly warned IBM directly about the breach. That warning triggered an internal investigation.

The investigation confirmed the compromise. Then IBM allegedly did nothing with the findings.

According to the complaint, IBM said it couldn't fully investigate because it had not kept logs of who accessed its network and when. Basic network logging is a foundational cybersecurity practice. A company that sells cybersecurity services to the federal government wasn't doing it for itself.

IBM's Response Is Paper-Thin

IBM spokesperson Miki Carver declined to address the specific allegations, telling TechCrunch: "This complaint was filed six years ago, and the U.S. Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law."

No denial of the breach. No explanation of what was or wasn't disclosed. No acknowledgment of what data may have been accessed. Just a procedural shield.

The DOJ declining to intervene does not mean the allegations are false. It means the DOJ chose not to pursue it as a criminal matter.

Why This Matters

IBM is one of the largest cybersecurity vendors to the U.S. federal government. Agencies across the government rely on IBM infrastructure and security services.

If IBM's core network was accessed over 56,000 times by a Chinese state-sponsored group — and IBM concealed that from the government agencies it was simultaneously protecting — the national security implications are severe.

The federal government was potentially paying IBM for security services while IBM knew its own systems had been compromised by the same adversary those services were meant to defend against.

What Remains Unanswered

TechCrunch broke the story, with Lorenzo Franceschi-Bicchierai providing solid detail from Barlow's complaint. But coverage has focused primarily on corporate accountability — a company that didn't disclose breaches.

APT 10 is not criminal ransomware operators looking for a payout. It is a Chinese intelligence-linked group conducting long-term espionage operations. The critical questions remain: What data did they actually access? Did those agencies' data flow through the compromised IBM infrastructure? Were any classified or sensitive government systems touched?

The Disclosure Problem Is Systemic

Barlow's lawsuit highlights a broader structural failure. For years, major companies had zero legal obligation to disclose breaches — especially to government clients. In recent years, the SEC and CISA have moved to tighten breach notification rules, but those reforms came after the window in which IBM allegedly concealed these incidents.

The law has since changed. But the damage from the old era of voluntary non-disclosure may never be fully known.

Moving Forward

A six-year-old lawsuit suddenly unsealed is easy to dismiss as old news. The core question it raises remains unresolved: did IBM, a major federal cybersecurity contractor, cover up repeated Chinese government intrusions to protect its business relationships?

IBM has offered no specific denial of the underlying facts. The DOJ passed. No regulator has pursued it publicly. Barlow is still fighting.

Regular Americans funding the federal government deserve to know whether the agencies protecting national security were themselves being protected by a vendor that knew it was compromised and said nothing.