Former IBM Threat Intelligence VP Alleges IBM and AT&T Hid Nation-State Breaches From Federal Government in Unsealed False Claims Act Lawsuit

A False Claims Act lawsuit originally filed under seal in 2020 has been unsealed after the federal government declined to join as co-plaintiff, revealing explosive allegations from IBM's former Vice President of Threat Intelligence that both IBM and AT&T systematically concealed nation-state hacking incidents from the federal government while fraudulently certifying compliance with cybersecurity regulations across billions of dollars in government contracts.

William Barlow, who served as IBM's VP of Threat Intelligence from January 2017 through August 2019, alleges that IBM and AT&T operated core network infrastructure so fundamentally flawed that neither company could determine what data was breached, who breached it, when the breaches occurred, or whether data was exfiltrated or altered — because they failed to maintain the audit logs required by federal regulations.

The APT10 Breaches

The complaint details how in March 2017, intelligence officials from four Five Eyes nations — the United States, Canada, the United Kingdom, and Australia — notified IBM that its IP addresses were connecting to known APT10 command-and-control infrastructure. The subsequent internal investigation, dubbed the "Davis Investigation," found 56,215 potential APT10 indicators dating between 2013 and 2016, but could not investigate further because there were no corresponding logs connecting DNS requests to specific users or laptops. The investigation ultimately analyzed less than 1% of IBM's total system population.

A second investigation — the "Bison Investigation" — launched after the UK's National Cyber Security Centre reported possible APT10 compromise in June 2018, confirmed that attackers had compromised nearly 400 accounts and almost 200 systems and servers across every IBM business unit, eighteen countries, and multiple IBM products. The internal Bison Report, dated December 16, 2018, stated that attacker activity had been observed on a "nearly daily basis" since at least November 2017, with possible activity dating back to January 2015.

When the APT10 indictments were publicly unsealed in December 2018, IBM released a statement claiming no sensitive data had been lost — a statement Barlow characterizes as materially misleading, given IBM's own admission that it lacked the logging capability to know what was taken.

The Network Infrastructure Failures

Barlow describes IBM's core network, operated by AT&T, as a "flat network" with little to no segmentation, meaning a user in Los Angeles had the same access as a user in Shanghai with no additional restrictions. AT&T could not provide VPN audit logs when Barlow's team requested them during investigations, could not associate user IDs with network exit nodes, and could not identify which workstations were assigned to specific IP addresses. IBM had virtually no endpoint monitoring on its AT&T-provided network.

The complaint alleges AT&T subcontracted portions of its cloud infrastructure to China Telecom Corp. Ltd., a company owned by the People's Republic of China, while failing to disclose this arrangement or its associated hacking incidents to federal customers.

The Trusteer and Truven Breaches

In November 2018, an adversary suspected to be a hostile state or sophisticated criminal actor accessed the source code for three of IBM's Trusteer digital identity security products — software used by banks worldwide to detect and prevent fraud. IBM developed a "client communication" protocol in case the breach became public, but did not disclose the incident to banking regulators for two months. An IBM attorney privately confirmed to Barlow that AT&T's VPN was involved in the Trusteer breach.

The complaint also details breaches of Truven Health Analytics, which IBM acquired for $2.6 billion and which held the $7 billion Centers for Medicare and Medicaid Services contract. In one incident, Barlow personally observed an adversary operating on a system in real time with the ability to control patient dosing in a neonatal intensive care unit. A subsequent attack in June 2019 compromised the admin account, granting full domain access. Neither breach was thoroughly investigated or reported.

The Alleged Coverup

Barlow alleges a systematic effort by IBM senior management to suppress his findings. IBM General Manager of Security Mary O'Brien suggested he "tone down" his reports and told him that CEO Virginia Rometty was aware of the breaches but did not want to affect stock prices. O'Brien later directed Barlow to consider redacting breach information from reports prepared for IBM's Cybersecurity Advisory Council.

IBM's CIO Fletcher Previn allegedly blocked deployment of endpoint detection tools that would have revealed the scope of compromise. When forced to allow limited use of Carbon Black threat detection software, Previn authorized it only on a network segment believed to be free from adversary activity — virtually guaranteeing no evidence would be found.

IBM's cyber counsel changed the company's document retention policy for hacking investigations to just seven days. After Barlow challenged the legality, it was extended to one month. Senior managers wanted hacking reports kept off the CAC's agenda and did not want minutes kept of breach discussions. The NSA directly questioned Barlow about the breaches, and he was instructed to "dodge" the questions.

The Bison Report itself documented IBM's internal recognition that "details of cybersecurity incidents are often edited, redacted and ultimately filtered by the time they reach the CAC," that "pervasive leadership failures" plagued the security organization, and that the company had experienced a "loss of control" where it could "neither detect the movement of the adversary nor stop their activities."

The False Claims Act Allegations

The lawsuit alleges IBM and AT&T violated the Federal False Claims Act across eight counts by fraudulently certifying compliance with FAR, DFARS, NIST SP 800-53, NIST SP 800-171, NIST SP 800-37, and FedRAMP requirements while knowing their systems failed to meet minimum security standards. Both companies held FedRAMP certifications and numerous federal contracts — IBM across at least 24 active federal contract vehicles, AT&T across at least 17 — while their core infrastructure lacked basic controls like VPN logging, network segmentation, and endpoint monitoring.

Barlow's complaint details violations across 20 specific NIST SP 800-53 controls, 21 NIST SP 800-171 requirements, and 7 NIST SP 800-37 tasks. The lawsuit seeks treble damages and civil penalties for each violation.

Significance:

This lawsuit, if its allegations hold, describes one of the most consequential cybersecurity failures in federal contracting history. A flat network with no segmentation, no VPN logging, no endpoint monitoring, and active APT10 compromise across every business unit and eighteen countries — while simultaneously holding FedRAMP certification and certifying compliance on billions of dollars in government contracts. The fact that the former VP of Threat Intelligence was told to "tone down" his reports and "dodge" questions from the NSA paints a picture of institutional willful blindness at the highest levels of two of the world's largest technology companies. Whether or not the legal claims succeed, the technical allegations represent a case study in how corporate incentives can override security obligations at scale.