IBM Covered Up APT10 Hacks for a Decade, Whistleblower Says

The complaint names IBM, AT&T, and APT10 — the Chinese government sponsored hacking group whose members were indicted by the U.S. Justice Department in 2018. The lawsuit was filed by William Barlow, who served as IBM's vice president of threat intelligence until his resignation in August 2019. Barlow alleges that IBM discovered the breaches, internally concluded that APT10 was responsible, and then took active steps to conceal the intrusions from regulators and government customers. The case sat under seal for six years until the Department of Justice declined to intervene in June 2026, triggering its public release. IBM called the allegations "false and misleading" in a statement issued after unsealing.

Key Takeaways

• William Barlow, IBM's former VP of threat intelligence, filed a sealed whistleblower complaint in 2020 alleging IBM covered up multiple APT10 breaches of its core network.
• APT10, a Chinese government backed hacking group, allegedly infiltrated IBM and AT&T's shared infrastructure more than 50,000 times between 2013 and 2016.
• An internal IBM investigation found nearly 400 compromised accounts and 200 compromised systems spread across 18 countries.
• In 2018, U.S. prosecutors charged Chinese nationals linked to APT10 with separately stealing 100,000 U.S. Navy personnel records through IBM networks.
• IBM allegedly never notified U.S. government clients — including military customers — despite being a major cybersecurity contractor to the federal government.

What Did the Lawsuit Allege?

According to the complaint, APT10 targeted IBM's cloud computing infrastructure specifically because of IBM's role as a major provider to U.S. government agencies, defense contractors, and critical infrastructure operators. AT&T operated the "Core Network" on IBM's behalf, making the two companies joint custodians of the compromised systems. The breach activity allegedly spanned years: over 50,000 potential compromise events attributed to APT10 between 2013 and 2016, followed by a separate 2017 internal investigation that identified nearly 400 accounts and 200 systems as compromised across 18 countries.

Barlow alleges that IBM senior management "actively took steps to cover up and conceal" the hacks from U.S. regulators and government clients. No public disclosure was made. No federal agencies were notified. IBM continued to market itself as a trusted cybersecurity partner to the same government clients whose infrastructure had been compromised. Barlow claims his internal efforts to escalate the issue were stifled, ultimately leading to his departure from the company.

The lawsuit also connects to a publicly known incident. In 2018, the U.S. Justice Department unsealed an indictment against Chinese nationals linked to APT10, charging them with — among other targets — stealing 100,000 U.S. Navy personnel records by compromising a Navy contractor's systems. That contractor used IBM's network infrastructure. The whistleblower complaint claims the Navy breach was one of several that IBM knew about and did not disclose.

Who Is APT10?

APT10, also known as Stone Panda or MenuPass, is a Chinese state sponsored advanced persistent threat group that has operated since at least 2009. Then FBI Director Christopher Wray described the group's targets as a "Who's Who" of the global economy when APT10 members were indicted in 2018. The group is known for long duration intrusions, often maintaining access to target networks for years while systematically exfiltrating intellectual property, government data, and personal records.

APT10's trademark approach is targeting managed service providers and IT vendors — the suppliers that maintain access to hundreds of downstream organizations simultaneously. Compromising one large vendor like IBM grants access to every client whose infrastructure runs through that vendor's network. That architectural leverage explains why the alleged 50,000 breach events could originate from a single sustained intrusion into IBM's core infrastructure rather than 50,000 separate attack campaigns against individual targets.

Why the Six Year Seal Matters

The lawsuit was filed in 2020 under the False Claims Act, a federal statute that allows private individuals to sue contractors who defraud the government and collect a share of any recovery. False Claims Act cases are filed under seal while the Justice Department investigates and decides whether to join the case as a plaintiff. The DOJ's June 2026 decision not to intervene does not mean it found the allegations false — it simply means the government chose not to take on the litigation itself. Barlow can continue to pursue the case privately.

The six years during which the case remained sealed meant that IBM's government clients — and the public — had no access to the allegations. During that period, IBM continued to win federal contracts and market its security services to agencies that, if the allegations are accurate, had unknowingly had their infrastructure compromised by Chinese state actors while under IBM's protection. The unsealing is notable precisely because it surfaces a claim that remained hidden through most of the Biden administration and into the Trump administration's second term.

What IBM and AT&T Said

IBM issued a statement calling the allegations "false and misleading," denying that it covered up any breaches or failed to meet its disclosure obligations. AT&T has not issued a public statement on the complaint as of the unsealing date. Neither company addressed the specific factual claims in the complaint — the 50,000 compromise events, the 400 accounts, or the 2017 internal investigation findings — in their public responses.

For context, IBM has faced other security controversies in recent years. A 2023 breach exposed data from IBM's IT infrastructure management division. The company settled a 2022 class action over a separate breach affecting healthcare partners. The whistleblower complaint, if proven, would represent a significantly more severe allegation: not a breach that was disclosed and remediated, but one that was deliberately hidden from the government clients most directly harmed by it.

What This Means for Enterprise Email and Communications Security

The IBM case is a concrete example of a risk that security professionals have long documented: the supply chain attack. Organizations often invest heavily in securing their own perimeter while relying on vendors whose security posture they cannot directly audit. IBM's cloud and managed services infrastructure processed email, communications, and sensitive operational data for its government clients. If that infrastructure was compromised at scale, the practical consequence is that adversaries had potential access to communications flowing through it — without the end users or their organizations ever knowing.

The lesson extends to ordinary users as well. Email infrastructure is a chain of custody. The service you use to send email relies on servers, networks, and upstream providers. When any link in that chain is compromised and the compromise is concealed, the users at the end of the chain have no signal that their communications are exposed. Notification requirements exist precisely to break this pattern — disclosure laws require vendors to tell affected parties so they can act. The IBM allegations, if accurate, describe a decade during which that mechanism was deliberately bypassed.

Sources: TechCrunch: former IBM executive whistleblower accuses IBM of covering up data breaches; Fortune: IBM and AT&T accused by whistleblower of covering up foreign hacks; Security Magazine: whistleblower accuses IBM and AT&T of covering up breaches.