IBM, a giant in technology and cybersecurity, is facing serious accusations from a former insider. William Barlow, who once led IBM’s threat intelligence team, says the company hid years of hacking attacks. These attacks came from a Chinese state-linked group known as APT 10.

Barlow’s lawsuit, filed in 2020 but only recently unsealed, claims IBM’s network was breached more than 56,000 times between 2013 and 2016. These weren’t small incidents. Hackers accessed nearly 400 accounts and close to 200 systems worldwide. The attacks affected IBM’s business units across 18 countries.

The hacking campaign targeted not only IBM’s own data but also information stored through partnerships, including one with AT&T. The scale and reach of the breaches suggest serious weaknesses in IBM’s defenses at the time.

The Internal Investigation and Its Limits

In 2017, intelligence agencies from the Five Eyes alliance — Australia, Canada, New Zealand, the UK, and the US — warned IBM about the breaches. This led IBM to launch an internal investigation. But the company hit a major roadblock: it had not kept adequate logs of who accessed its network and when.

This failure meant IBM couldn’t fully assess the damage. Basic security protocols, like detailed access logs, were missing. According to Barlow’s complaint, IBM’s core network infrastructure was “archaic,” allowing hackers to move almost freely without detection.

Even with this knowledge, IBM allegedly never informed US authorities or its government clients. This silence is especially alarming because the US government is one of IBM’s largest customers.

Subsidiaries Also Breached and Concealed

Barlow didn’t stop with IBM’s core network. He said that Trusteer, a cybersecurity startup IBM bought in 2013, was hacked in 2018. Truven, a healthcare data company acquired in 2016, also suffered multiple breaches after joining IBM.

In both cases, Barlow claims IBM failed to investigate properly and didn’t disclose these incidents. This pattern suggests a company culture that prioritized secrecy over transparency, even when it came to serious data breaches.

IBM spokespeople declined to answer detailed questions. Their official statement said the complaint was old and that the US Department of Justice chose not to intervene. IBM maintains it acted within the law.

Why This Case Matters

This lawsuit highlights a deeper problem in cybersecurity: companies often hide breaches instead of reporting them. This leaves customers and the public in the dark. It also undermines trust in firms that sell cybersecurity services.

IBM markets itself as a leader in security, especially to federal agencies. If the company’s own defenses were weak and it concealed breaches, that raises big questions about its reliability.

The case also comes amid growing pressure on companies to disclose cyberattacks promptly. New rules require public firms to report major breaches within days. Yet enforcement remains uneven, and many attacks still go unreported.

Barlow’s lawyer argues that IBM can’t claim to protect others while ignoring its own vulnerabilities. The lawsuit is set to challenge how big tech handles security and transparency in the years ahead.

As cyber threats grow, this case is a reminder that even the biggest firms must keep vigilant and honest. The public deserves to know when their data or services are at risk. And companies must be held accountable when they fail to protect that trust.