Hidden Cloud Breaches Alleged at IBM, AT&T

Key Takeaways

• A whistleblower lawsuit alleges IBM and AT&T withheld information about repeated foreign intrusions into IBM’s cloud infrastructure.
• The filing aligns with past concerns across telecom and IT sectors about transparency, logging gaps, and long-term exposure to advanced persistent threats.
• Analysts point to broader systemic risks in national communications infrastructure and emphasize the role of established cybersecurity frameworks.

The allegations now facing International Business Machines Corp and AT&T Inc did not surface overnight. They arrived wrapped inside a False Claims Act complaint that had been sitting under seal since 2020, finally unsealed this week after the US government chose not to intervene. The suit, filed by a former vice president of threat intelligence, paints a picture of long-running security failures, repeated intrusions, and what the complaint describes as deliberate downplaying of breach severity before major federal contracting decisions.

The scale of the network at issue underscores the severity of the allegations. IBM’s cloud computing infrastructure serves as a backbone environment across government agencies, including military customers. AT&T operates the Core Network that supports it. Allegations that both companies faced intrusions they could not fully trace point toward systemic exposure.

The complaint describes foreign and unidentified hackers repeatedly breaching the Core Network, sometimes without the companies being able to determine who accessed what, or whether any data had been exfiltrated or altered. Chinese government-backed groups, including APT 10, are explicitly referenced. An IBM spokesperson responded that the complaint was filed six years ago and reaffirmed that the company believed its actions followed the letter of the law. AT&T declined to comment.

The whistleblower claims to have witnessed numerous incidents while serving in senior cybersecurity roles between 2017 and 2019, alleging pressure to soften internal reporting. According to the suit, internal investigations uncovered more than 50,000 potential APT 10 hits between 2013 and 2016 and later found nearly 400 compromised accounts across almost 200 systems in 18 countries. These findings allegedly collided with weak logging practices that prevented deeper forensic work. If accurate, the situation echoes warnings from long-standing federal guidance. For example, the NIST discussion on incident reporting in NIST SP 800-150 highlights how inadequate logs allow adversaries to persist for years.

Questions about transparency have surfaced before for both companies in different contexts. IBM agreed in 2020 to pay $900,000 to resolve US Defense Department claims that it had not properly secured systems tied to earlier hacking activity. Separately, AT&T has long been under a different kind of whistleblower spotlight stemming from a former technician's disclosures that AT&T operated a splitter facility giving the NSA access to backbone traffic, a case that resurfaced in public analysis from the Electronic Frontier Foundation in 2025. These examples form a pattern of how sensitive infrastructure has historically been handled.

Industry data points suggest the issue is not isolated. Verizon’s DBIR 2024 notes that 62% of intrusion incidents involved vulnerabilities left unpatched for more than a year, indicating slow detection and uneven remediation. Analysts at Bloomberg and DataCenter Knowledge have reported that breaches in critical infrastructure often take months or even years to surface. IBM’s own Cost of a Data Breach 2023, published with Ponemon, estimated that critical infrastructure breaches averaged $5.04 million, a figure that reinforces why persistent monitoring matters.

Another angle raised by analyst firms such as Gartner concerns the operational dependencies created when technology providers serve as both infrastructure operators and government contractors. It creates an environment where incident disclosure is intertwined with contract renewals, competitive positioning, and regulatory expectations. This lawsuit probes exactly that tension.

The suit also challenges internal governance processes. One example cited is the allegation that the whistleblower was told to avoid answering National Security Agency questions about APT 10 related concerns. The filing does not specify who provided that directive, but it highlights the tension security practitioners face between internal messaging and external accountability.

From an industry standards perspective, the situation aligns with concerns outlined in the NIST Cybersecurity Framework and the NIST SP 800-61 guidance on incident handling, which stress timely detection, coordinated disclosure, and communication with partners. FCC expectations for significant incident reporting in telecom have also grown more explicit in recent years as the sector has faced increased scrutiny.

Looking across the broader telecom and cloud ecosystem, the complexity of attribution and the operational blind spots described in the filing stand out. Logging gaps, sprawling multi-country server environments, and shared operational responsibilities between IBM and AT&T form a landscape that complicates incident response. The struggles of two of the largest vendors in the sector to detect who was inside their environment point to broader challenges for smaller providers with fewer resources.

Analysts at Reuters and the Wall Street Journal have previously noted that whistleblower-driven cases under the False Claims Act can take years to resolve and that government decisions not to intervene often reflect resource limits more than the strength of the underlying claims. That context matters here, especially since the whistleblower's attorney highlighted that billions of dollars in federal business may be implicated.

The whistleblower's long tenure at IBM, involvement in public-facing training initiatives, and continued presence in the security community create a nuanced backdrop. Personnel on the front lines of threat intelligence often possess a different vantage point on internal response dynamics. The specific technical claims in this lawsuit remain significant enough that industry observers are monitoring the outcome closely.

As the legal proceedings develop, this case is likely to reignite debate on how cloud and telecom providers handle internal detection, breach reporting, and whistleblower engagement. It may also push policymakers to revisit reporting expectations for contractors operating essential systems. The outcome, regardless of direction, will be viewed through the lens of a sector where advanced persistent threats continue to test the resilience of national infrastructure.