IBM Accused of Covering Up State-Sponsored Data Breaches

A former IBM executive has alleged in a lawsuit that the company covered up multiple state-sponsored data breaches between 2013 and 2016. The complaint claims IBM failed to notify the U.S. government of the hacks despite being a major federal cybersecurity contractor.

The internal report was damning: 56,000 potential unauthorized access events over three years. Yet, according to a newly unsealed lawsuit, IBM’s response was not to alert the federal government or the public, but to keep the findings quiet.

William Barlow, who served as IBM’s vice president of threat intelligence until 2019, alleges that the tech giant was repeatedly compromised by foreign state actors between 2013 and 2016. The lawsuit, originally filed in 2020, paints a picture of a cybersecurity titan that failed to maintain even the most basic digital hygiene, allegedly lacking the logs necessary to track the movement of hackers through its own core network.

This is not just a story about a legacy tech company struggling with outdated infrastructure. It is a direct challenge to the credibility of a firm that serves as a primary cybersecurity vendor for the U.S. federal government. If the allegations hold, IBM was selling security services to the very agencies it was failing to warn about its own compromised systems.

The APT 10 Connection

At the heart of the complaint is the activity of APT 10, a hacking group linked to the Chinese government. In 2018, the FBI indicted members of the group, describing them as a persistent threat to the global economy. Barlow alleges that IBM was a primary target of this campaign, with hackers infiltrating the company’s network and data maintained in partnership with AT&T.

According to the complaint, the breach was only brought to light after the "Five Eyes" intelligence alliance—comprising the U.S., U.K., Canada, Australia, and New Zealand—warned IBM in March 2017. An internal investigation reportedly concluded that four servers were compromised, with nearly 400 accounts and 200 systems affected across 18 countries. The most striking detail, however, is the admission of technical failure: IBM reportedly told investigators it could not fully scope the damage because it had not kept adequate access logs.

A Pattern of Concealment?

Barlow’s allegations extend beyond the APT 10 campaign. He claims that IBM’s security failures were systemic and that the company repeatedly chose to bury evidence of breaches rather than disclose them.

He specifically points to two acquisitions:

Trusteer: A cybersecurity startup acquired in 2013, which Barlow claims was breached in 2018.
Truven: A healthcare data firm acquired in 2016, which he alleges suffered multiple breaches post-acquisition.

In both instances, Barlow asserts that IBM failed to conduct a thorough investigation or notify affected parties. The complaint characterizes IBM’s core network as "archaic," suggesting that the company’s internal systems were so fragmented and outdated that hackers were able to roam undetected for years.

What This Means for Government Clients

IBM maintains that it has followed the law. In a statement to TechCrunch, spokesperson Miki Carver noted that the Department of Justice declined to intervene when the complaint was first filed six years ago. "IBM is confident that our actions followed the letter of the law," Carver said.

However, the legal battle is far from over. Jason Brown, the attorney representing Barlow, argues that the company’s alleged behavior creates a fundamental conflict of interest. "You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company," Brown said.

Key Takeaways

Systemic Failures: The lawsuit alleges IBM lacked basic security logs, preventing a full assessment of how deeply state-sponsored hackers penetrated its network.
Conflict of Interest: The allegations suggest IBM withheld information about its own vulnerabilities while simultaneously acting as a security contractor for U.S. federal agencies.
Legal Standing: While the U.S. Department of Justice declined to intervene in the 2020 filing, the unsealing of the lawsuit brings these decade-old allegations into the public eye, potentially forcing a new round of scrutiny.

As the litigation proceeds, the focus will shift to the evidence regarding IBM’s internal reporting processes. The question is no longer just whether the breaches occurred, but whether the company’s decision to remain silent was a calculated risk that prioritized its reputation over the security of its government clients.

IBM Accused of Covering Up Massive State-Sponsored Data Breaches

The APT 10 Connection

A Pattern of Concealment?

What This Means for Government Clients

Key Takeaways

Related Articles

Andrew Giuliani’s High-Stakes Bet on the 2026 World Cup

Ransomware Gangs Are Now Sending Fake IT Workers to Your Office

Hacked, Leaked, and Held for Ransom: The Worst Breaches of 2026

Comments