IBM, AT&T foreign hacks claim tests disclosure rules

IBM and AT&T face whistleblower allegations that they concealed repeated foreign intrusions from the US government, according to Bloomberg. The claim comes from former IBM vice president of threat intelligence William Barlow, whose lawsuit was filed under seal in 2020 and became public after the US Department of Justice declined to intervene. A syndicated version carried by Fortune repeated the central allegation but did not add a separate finding.

No court has found either company liable. The disclosure question is how far a major technology or telecoms contractor must go when suspected foreign intrusions touch systems used to serve government customers.

Barlow alleges IBM and AT&T suffered repeated breaches and hid them while seeking or keeping federal work. Bloomberg reported that the complaint claims an internal IBM probe between 2013 and 2016 found 50,000 potential APT 10 hits. A later review allegedly identified 400 compromised accounts and access to more than 200 systems and servers across 18 countries.

Those figures are allegations in a complaint, not an independent breach tally. They describe a claimed internal visibility problem that ran for years. Security teams buying cloud, network and managed defence services need to know whether a vendor recognised the exposure early enough and passed useful information to customers with time to act.

IBM rejected the allegation that it broke the law. Adam Pratt, an IBM spokesperson, noted the government’s decision not to join the case and defended the company’s conduct in comments reported by Bloomberg.

This complaint was filed six years ago, and the US Department of Justice declined to intervene. IBM is confident that our actions followed the letter of the law.

Adam Pratt, IBM

AT&T is also named in the complaint. Bloomberg reported that the lawsuit says AT&T runs a Core Network on IBM’s behalf, and that IBM cloud infrastructure is used by US government agencies, including the military. That places the complaint near critical enterprise systems rather than routine corporate IT.

Why disclosure is the issue

Barlow’s central claim is that the companies concealed the alleged intrusions while selling cybersecurity and infrastructure services to the government. Jason T. Brown, a lawyer for Barlow, put the trust question in direct terms in the Bloomberg report.

You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company.

Jason T. Brown, lawyer for William Barlow

The Justice Department’s decision not to intervene has a narrow meaning. The government did not take over the case. It leaves unresolved the alleged intrusions, the false-assurance claims and any disclosure duty tied to them.

For Australian technology buyers, the case is worth watching because the same vendor-trust problem appears in local procurement and critical infrastructure settings. Cloud providers, telecoms operators and managed security vendors often sit close to sensitive data, even when an incident begins inside the vendor’s environment rather than inside a customer network.

If the allegations survive in court, the case could add pressure on large enterprise suppliers to document when they learned about serious intrusions, who was told and how quickly government customers were briefed. If they do not, it remains a reminder that sealed whistleblower complaints can surface years after the incidents they describe.