IBM Whistleblower Alleges Decade of Covered-Up Chinese Hacks

Key Takeaways

• Former IBM VP alleges the company concealed breaches by Chinese hackers from 2013-2016
• Internal investigation reportedly found 56,000 potential network intrusions
• IBM claims the DOJ declined to intervene after reviewing the case for six years

The Core Allegations

William Barlow served as IBM's vice president of threat intelligence until August 2019. In a lawsuit filed under seal in 2020 and unsealed this week, he claims IBM concluded that Chinese hackers breached its core network between 2013 and 2016. The company then covered up the breaches and never disclosed them, according to the complaint.

Barlow alleges that IBM's core network was "routinely hacked by foreign state actors and others." Data was frequently stolen, and government agencies were "never notified," the complaint states. At least two IBM subsidiaries were also breached with similar coverups, according to the filing.

The alleged breaches tie to APT 10, a Chinese government-linked hacking group. Then-FBI Director Christopher Wray said the group had targeted a "Who's Who" of the global economy when its members were indicted in 2018. The hackers broke into both IBM's network and data the company maintained in partnership with AT&T.

Five Eyes Warning Triggered Internal Probe

According to the complaint, intelligence officials from Australia, Canada, New Zealand, the United States, and the United Kingdom warned IBM of the breach in March 2017. This warning from the Five Eyes alliance prompted an internal investigation.

That investigation found APT 10 potentially breached IBM's network more than 56,000 times over three years. But the company said it could not investigate further because it had not kept logs of who accessed its network and when. Log retention is considered a basic security practice.

“The design was so flawed that the companies could not definitively determine what data was stolen or modified.”

— Allegation from the unsealed complaint filed by William Barlow

The complaint describes IBM and AT&T's infrastructure as "archaic," claiming hackers could "gain access to the system on numerous occasions and can roam almost anywhere undetected." Four servers were confirmed compromised during the internal investigation.

Why This Matters for Federal Contractors

IBM is a major cybersecurity vendor to the U.S. federal government. The alleged concealment carries extra weight because of this relationship. The lawsuit was filed under the False Claims Act, which allows whistleblowers to sue on behalf of the government when contractors allegedly defraud federal agencies.

The complaint alleges that 100,000 U.S. Navy personnel had their personal data stolen during the Chinese hacker infiltration. Approximately 400 accounts were penetrated during the 2017 internal investigation, with 200 systems across 18 states reported as impacted by the security failures.

IBM's Response

IBM spokesperson Adam Pratt declined to answer specific questions about the lawsuit. "IBM is confident its actions complied with the law, and the DOJ's decision not to intervene after a six-year review supports our position," Pratt said.

The Department of Justice declining to intervene does not dismiss the case. Whistleblowers can proceed with False Claims Act lawsuits even without DOJ participation, though cases without government backing face longer odds.

Community and Industry Reaction

Discussion on security forums including r/netsec and Hacker News has focused on systemic risks of relying on large contractors for critical government infrastructure. Users expressed particular alarm at claims that logs were cleared to hide evidence, arguing this sets a dangerous precedent for corporate accountability in the defense sector.

The case highlights a persistent gap in cybersecurity disclosure. While the alleged breaches date back more than a decade, the news shows that cyberattacks affecting large public tech companies sometimes never get disclosed to the public or relevant authorities. Several data breach notification laws have been passed in recent years to address this problem, but enforcement remains uneven.

Frequently Asked Questions

What is APT 10?

APT 10 is a Chinese government-linked hacking group that the FBI says targeted major global companies. The U.S. Department of Justice indicted group members in December 2018.

Why did the DOJ decline to intervene in the IBM whistleblower case?

The DOJ has not publicly explained its decision. Declining to intervene does not mean the government found the claims meritless. It often reflects resource constraints or evidentiary concerns. The whistleblower can still pursue the case independently.

Does IBM face criminal charges from this lawsuit?

No. This is a civil lawsuit filed under the False Claims Act, which addresses fraud against the federal government. Criminal charges would require separate DOJ action.

What data was allegedly stolen from IBM's network?

The complaint claims personal data of 100,000 U.S. Navy personnel was stolen. However, the lawsuit also alleges IBM could not determine exactly what data was taken because the company failed to maintain proper access logs.

What happens next in the IBM whistleblower lawsuit?

With the case now unsealed, Barlow can proceed with litigation. IBM will likely file motions to dismiss. If the case survives early legal challenges, it could proceed to discovery and potentially trial.

Source: TechCrunch / Lorenzo Franceschi-Bicchierai