A bombshell whistleblower lawsuit unsealed this week has put IBM at the center of a serious cybersecurity disclosure controversy. William Barlow, a former IBM Vice President of Threat Intelligence who left the company in August 2019, alleges that IBM was breached by foreign state-sponsored hackers at least three separate times over the previous decade — and that the company chose to conceal those intrusions rather than notify affected parties.
The lawsuit was originally filed in 2020 but has only now become public. Barlow's complaint describes IBM's core corporate network as having been "routinely hacked by foreign state actors and others," with data regularly exfiltrated and government agency clients allegedly never informed of the compromises.
The APT 10 Connection
Central to the complaint is the alleged involvement of APT 10, a Chinese government-linked hacking group that U.S. officials have described as one of the most prolific state-sponsored cyber espionage operations targeting Western corporations. Then-FBI Director Christopher Wray once characterized APT 10's targets as a "who's who" of critical American industries.
According to Barlow, IBM concluded that APT 10 had successfully breached its core network infrastructure. Rather than disclosing this to affected clients or regulators, Barlow alleges the company worked to suppress the findings and prevent disclosure — with Barlow himself eventually being pushed out of his role after raising concerns internally.
IBM Responds — Briefly
IBM spokesperson Miki Carver declined to address the specific allegations, telling TechCrunch only that the complaint was filed six years ago and that the U.S. Department of Justice had previously declined to take up the case. That DOJ declination is a procedural note, not an exoneration — DOJ resources and prioritization are finite, and a declination does not constitute a finding that allegations are without merit.
Why It Matters
This case surfaces a problem that security professionals have long warned about: large enterprises may have more incentive to conceal breaches than to disclose them, especially when government clients are involved. The reputational and contractual consequences of admitting a significant foreign espionage intrusion can be severe, and without mandatory incident reporting frameworks with real teeth, companies can make calculated decisions about what to reveal.
The IBM allegations, if true, also underscore the importance of federal breach notification regulations that have been progressively strengthened over recent years — including CISA directives and SEC cybersecurity disclosure rules introduced in 2023. Those frameworks now impose clearer obligations on public companies to disclose material incidents, making a repeat of the alleged IBM scenario harder to sustain.
For enterprise security and compliance leaders, this case is a reminder that internal disclosure policies, whistleblower protections, and third-party breach notification obligations are not just legal checkboxes. They are the practical mechanisms that prevent organizations from calcifying around secrets that eventually become public — often in much more damaging ways than timely disclosure would have produced.
Source: TechCrunch