Did IBM really hide more than 56,000 Chinese cyberattacks?
A newly unsealed whistleblower lawsuit accuses IBM of concealing a series of state-backed intrusions — including a sweeping, years-long campaign allegedly tied to China-linked hackers — while maintaining federal contracts that depend on strong cybersecurity. The company disputes wrongdoing and says it followed the law. The case, filed by former IBM vice president of threat intelligence William Barlow, now raises uncomfortable questions about transparency, logging, and the obligations of major government vendors when their own networks come under fire.
What the lawsuit alleges
Barlow’s complaint, filed under the False Claims Act in 2020 and unsealed this week after the Department of Justice declined to intervene, claims IBM knew of multiple breaches by foreign government-linked attackers over several years and failed to disclose them to regulators and government customers. The suit is pending in federal court in New York.
At the center of the allegations is a campaign attributed to APT10, a well-known Chinese state-backed hacking group. According to the complaint, an internal IBM probe — kicked off by a 2017 alert from the Five Eyes intelligence alliance — concluded that APT10 potentially accessed IBM’s network more than 56,000 times between 2013 and 2016. The activity allegedly reached across business units and geographies, targeting a cloud environment known as the “Core Network,” which the filing says is run by AT&T on IBM’s behalf and used by the U.S. military and other government entities.
Barlow contends the review identified compromises of nearly 400 accounts and access to roughly 200 systems and servers in 18 countries. Compounding the risk, the complaint states that IBM could not fully investigate because it lacked comprehensive access logs — a basic security control intended to show who accessed what and when.
Alleged efforts to mute the impact
The suit asserts that senior leaders pushed Barlow to soften or omit details in internal reports and to avoid forthright answers when government agencies inquired about the incidents. The alleged aim, according to the filing, was to prevent reputational damage and protect existing and prospective federal contracts that require robust security posture and incident disclosure.
Under the False Claims Act, private individuals can bring cases on the government’s behalf in instances of alleged fraud tied to federal funds or contracts. If successful, the government can recover damages. Here, the claim centers on whether IBM provided misleading assurances about the security of its systems while delivering cybersecurity products and services to federal clients.
Subsidiaries named in the filing
The complaint extends beyond IBM’s core network, asserting that two subsidiaries were also breached and that the incidents were not adequately investigated or disclosed. Trusteer — a cybersecurity firm IBM acquired in 2013 — was allegedly compromised in 2018, and Truven Health Analytics — acquired in 2016 — was allegedly targeted multiple times after the acquisition. The suit claims IBM failed to properly probe and report those events.
IBM’s response
IBM has not engaged publicly with the specific accusations. A company spokesperson said the complaint is six years old and emphasized that the Justice Department opted not to join the case. IBM stated it is confident its actions complied with the law.
It’s important to note that a DOJ declination does not necessarily speak to the merits of a case; the government declines to intervene for a variety of reasons, from resource constraints to strategic priorities. The allegations remain unproven, and the case is ongoing.
What makes these claims significant
- Scope and sensitivity: The alleged breadth of the intrusions — tens of thousands of potential network accesses, hundreds of accounts, and systems worldwide — would be notable at any enterprise. The claims are more consequential given the purported exposure of a network environment used by the U.S. military and other agencies.
- Logging and incident response: The assertion that access logs were not retained sufficiently to support a deeper investigation highlights a foundational issue. Without logs, organizations struggle to determine the blast radius, confirm exfiltration, or satisfy regulatory and contractual reporting requirements.
- Disclosure obligations: Large federal contractors face stringent cybersecurity clauses and incident reporting timelines. The case tests how far vendors must go in disclosing suspected compromises — particularly long-running or difficult-to-attribute activity — and what constitutes a “material” security representation when bidding for or maintaining contracts.
- Corporate governance: The complaint paints a picture of internal pressure to manage optics over transparency. If substantiated, it could trigger heightened scrutiny from regulators and contracting authorities on how security findings are escalated and communicated at the executive level.
The APT10 backdrop
APT10 is widely associated with China’s state-backed cyber operations and known for multi-year campaigns targeting managed service providers and their customers. According to the lawsuit, a Five Eyes alert in 2017 spurred IBM’s internal review, which then attributed extensive activity on the company’s network to the group. While attribution in cyberspace is inherently complex and often contested, the allegations align with known tactics used by APT10 to infiltrate service providers as a springboard to downstream targets.
A timeline, in brief
- 2013–2016: The complaint alleges thousands of network intrusions attributed to APT10 during this period.
- 2017: A Five Eyes warning reportedly triggers IBM’s internal inquiry into potential compromises.
- 2018: Trusteer is allegedly breached, according to the filing.
- Post-2016: Truven Health Analytics is allegedly hit multiple times after joining IBM.
- 2020: Barlow files the False Claims Act lawsuit under seal.
- 2024: The case is unsealed after DOJ declines to intervene; litigation continues in federal court in New York.
Why this matters for federal cybersecurity
Government agencies increasingly rely on large technology vendors not only for products but for managed services and critical infrastructure. When those providers experience suspected breaches, the downstream risk can extend to sensitive government networks and data handled within shared or hosted environments. The allegations in this case — if validated — would underscore the importance of:
- Comprehensive logging: Retaining and securely storing access logs for sufficient periods to enable full-scope forensics and regulatory reporting.
- Clear reporting channels: Ensuring incident-response playbooks include transparent escalation paths to regulators and government clients, even amid incomplete facts.
- Third-party oversight: Strengthening audit and assurance mechanisms for environments operated by partners (such as telecom or cloud providers) on behalf of prime contractors.
- Executive accountability: Embedding security risk disclosure into corporate governance and contract management, especially when federal systems or data are involved.
What we don’t know yet
Key details remain uncertain. The public filings do not specify what data may have been exfiltrated, whether sensitive government information was accessed, or the precise extent of compromise within the Core Network. It is also unclear how IBM’s security posture and logging practices evolved after the alleged events. Discovery and future court filings may clarify these points.
What comes next
The case will proceed through the courts unless dismissed or settled. Potential next steps include motions challenging the claims, discovery that could reveal additional technical evidence, and possible hearings on whether the alleged incidents and disclosures meet the False Claims Act’s standards. Separately, federal customers may conduct their own reviews of contracting and reporting obligations in light of the allegations.
These are allegations in active litigation. No court has ruled on the merits, and IBM maintains that it acted lawfully.
