Ex-IBM VP’s 2020 Suit Claims IBM Hid 56,000 Cyberattacks by China

3 min readSources: Courthouse News, TechCrunch

In 2020, ex-IBM VP William Barlow sued IBM for allegedly hiding 56,000 cyberattacks by Chinese hackers.

Why it matters: Companies with federal cybersecurity contracts face strict obligations to report breaches and preserve logs. Legal teams must navigate disclosure risks amid growing government scrutiny of cybersecurity compliance.

  • William Barlow, former IBM VP of Threat Intelligence, filed the lawsuit in August 2020.
  • The complaint alleges APT 10 conducted over 56,000 network intrusions on IBM from 2013 to 2016.
  • Nearly 400 user accounts and 200 systems across 18 countries were compromised, including Trusteer and Truven Health.
  • IBM allegedly failed to preserve security logs and notify U.S. government authorities despite federal cybersecurity contracts.

William Barlow, ex-VP of Threat Intelligence at IBM, filed a lawsuit in August 2020 accusing IBM and AT&T of concealing extensive cyberattacks. The complaint alleges the Chinese state-sponsored hacking group APT 10 breached IBM's core network over 56,000 times between 2013 and 2016.

The breaches reportedly affected about 400 user accounts and 200 systems across IBM and its subsidiaries, including Trusteer (acquired in 2018) and Truven Health Analytics (post-2016 acquisition), spanning 18 countries worldwide.

Barlow's suit claims IBM did not preserve required security logs or notify U.S. government authorities, despite its cybersecurity contracts with federal agencies. This raises questions about IBM's compliance with breach disclosure and cybersecurity contractual obligations.

Jason Brown, Barlow's attorney, told TechCrunch, "You can’t sell cybersecurity to the federal government while allegedly having these security problems within your own company." IBM spokesperson Miki Carver responded, "This complaint was filed six years ago, and the U.S. Department of Justice chose not to intervene. IBM is confident our actions complied fully with legal requirements." The DOJ's decision not to intervene is documented in publicly available court filings (court complaint PDF).

This case underscores the complex legal and compliance risks faced by legal teams managing cybersecurity disclosures for companies with federal contracts, especially as cyber threats from state-sponsored actors escalate.

Additional reporting by Reuters provides an independent perspective on the lawsuit's implications for corporate cybersecurity governance.

By the numbers:

  • 56,000+ — alleged number of network intrusions by APT 10 on IBM (2013-2016)
  • 400 user accounts — reportedly compromised in the cyberattacks
  • 18 countries — locations affected across IBM's global network

Yes, but: IBM and the U.S. Department of Justice have not intervened in the lawsuit, claiming compliance with legal requirements, which leaves unresolved questions about the extent of the alleged concealment.

What's next: Legal teams at companies with federal contracts should closely monitor this case for potential impacts on breach disclosure obligations and cybersecurity compliance policies.