AT&T Holds the Keys to Federal Surveillance. A Whistleblower Says It Hid the Break-Ins.

What the Complaint Actually Says

The lawsuit was brought by William Barlow, who served as IBM's vice president of threat intelligence until August 2019. It was filed under seal in 2020 under the False Claims Act, the federal statute that lets insiders sue on the government's behalf when a contractor defrauds it. It stayed sealed for six years. The US Department of Justice declined to intervene, and the complaint became public this week.

State that last point plainly, because it cuts both ways and the piece is only credible if it does. The government declining to intervene is not a finding that the allegations are false. It is a decision not to commit federal resources to the case, which whistleblowers are then free to litigate on their own. IBM says the complaint is old, that the DOJ passed on it, and that the company is confident its actions followed the letter of the law. AT&T did not respond to reporters' requests for comment. Nothing here has been proven in court. All of that is true, and all of it should be held in mind through everything that follows.

Here is what the complaint alleges. The center of it is a system called Core Network, described in the filing as large IBM cloud infrastructure used across the US government, including the military, and operated by AT&T on IBM's behalf. According to Barlow, that network was “routinely hacked by foreign state actors and others,” data was frequently stolen, and the affected government agencies were never told.

The specific campaign at the heart of the complaint is attributed to APT10, the Chinese state-linked group that then-FBI Director Christopher Wray said had targeted a “Who's Who” of the global economy when its members were indicted in 2018. Barlow alleges that in March 2017, the Five Eyes intelligence alliance, the US, UK, Canada, Australia, and New Zealand, warned IBM it had been breached, which set off an internal investigation. That investigation, according to the complaint, concluded APT10 may have accessed IBM's network more than 56,000 times between 2013 and 2016.

Then the detail that should stop any executive cold. The company could not investigate further, the complaint says, because it had not kept logs of who accessed the network and when. The most basic record in security, the audit log, the thing that lets you reconstruct what happened, did not exist. In the complaint's own words, because the Core Network infrastructure was “archaic, hackers have been able to gain access to the system on numerous occasions and can roam almost anywhere undetected.”

A follow-on internal probe, per the complaint, found attackers had reached nearly 400 compromised accounts and almost 200 systems and servers across 18 countries and every IBM business unit. The filing goes further still, in language that is its own indictment: the breaches were “so large and the core networks so poorly designed that neither IBM nor AT&T knows exactly what data was breached, who breached the data, where the data was breached or whether any data was exfiltrated, altered and/or modified in any respect.” And Barlow alleges that senior IBM management “actively took steps to cover up and conceal” the hacks from US regulators and government clients. When officials from the NSA came asking him about hacks attributed to China, he alleges he was instructed to “dodge” their questions. The complaint does not say who gave that instruction.

Barlow's attorney, Jason Brown, reduced the whole matter to one sentence worth repeating, because it is the thesis of this entire piece. “You can't sell cybersecurity to the federal government while allegedly having these security problems within your own company.”

Why AT&T Is Not Just Another Defendant

If this complaint named two ordinary contractors, it would be a serious story and a narrow one. It does not. It names AT&T, and AT&T occupies a position in American national security that almost no other private company occupies. To understand why this matters, you have to hold three facts about the company in your head at the same time.

The first fact. AT&T operates the systems that make court-authorized wiretapping possible. Under the Communications Assistance for Law Enforcement Act, the 1994 law known as CALEA, every major US telecom is required to build surveillance capability into its network so that law enforcement, with a court order, can intercept a target's communications. Those CALEA systems are, in the words of one analysis, the crown jewels of American signals intelligence. They hold the list of who the government is lawfully surveilling.

The second fact. Those exact systems were breached. In the campaign that came to be known as Salt Typhoon, Chinese state hackers accessed the lawful-intercept infrastructure at major US carriers, with AT&T and Verizon named among the providers. The intruders did not just take call records. They reportedly obtained a nearly complete list of the phone numbers US law enforcement was actively wiretapping. Read that for what it is. A list of the people America was surveilling, a great many of them presumably foreign intelligence targets, handed to a foreign intelligence service. China learned which of its own operatives the United States had identified. And in December 2025, the Senate Commerce Committee concluded the carriers “have failed to prove the Chinese hackers have been eradicated from their networks.”

The third fact. AT&T spent years presenting itself to the market as a cybersecurity leader. After acquiring the security firm AlienVault in 2018, it built AT&T Cybersecurity into one of the larger managed-security businesses in the country, serving, by the unit's own account, most of the Fortune 1000 and a long list of federal, state, and local government customers. In 2024 it spun that business out as LevelBlue, a standalone managed security service provider, while keeping a minority stake and a board seat. For the better part of a decade, in other words, AT&T sold other organizations the promise that it could detect, investigate, and respond to exactly the kind of intrusion the whistleblower says it failed to disclose in its own house.

Put the three facts in a single line. The company that holds the government's wiretap keys, that had those keys reached by Chinese hackers, and that sold the public on its security expertise, is the same company a former IBM threat-intelligence chief now alleges spent years hiding foreign break-ins from the government. That is not a vendor problem. That is a national-security problem wearing a marketing budget.

The Pattern That Connects This to Everything Else

The reflex the complaint describes, discover an intrusion, characterize it as smaller than it is, decline to tell the customer whose data it was, is not unique to this case. It is the defining feature of an entire season of cyber news, and it is the reason this story is the keystone rather than just another entry.

Look at the same reflex in the other recent cases. When the Salt Typhoon breach was being investigated, Senator Maria Cantwell has alleged that AT&T and Verizon blocked the security firm Mandiant from releasing its forensic reports, and that telecom incident responders were reportedly told by outside counsel not to go looking for the intruders in the first place. When a CISA contractor exposed the agency's cloud keys this spring, CISA's public line was that there was no indication any sensitive data was compromised, even as outside researchers were still finding live credentials it had not rotated. And now a whistleblower alleges that when foreign hackers were found roaming a military cloud network, the instruction was to dodge the NSA.

Don't look. Don't tell. Don't confirm.

It is the same posture in three different buildings, and it is rational behavior for each institution taken alone. Disclosure is expensive. It invites liability, regulatory scrutiny, lost contracts, and reputational damage. The incentive, every time, is to make the intrusion sound smaller and more contained than the evidence supports, and to do it before anyone outside can check. What is rational for each institution is corrosive for the country, because the customer, the agency, the board, the citizen whose data it is, is left believing a system is secure that the people running it privately know is not.

What This Means If You Are a Board or an Acquirer

It would be easy to read this as a story about two giant companies and a government most readers do not work for. That reading misses the point, because the mechanism on display generalizes directly into far smaller rooms.

Start with the audit logs, or the absence of them. The single most damning operational detail in the complaint is not the 56,000 intrusions. It is that the company allegedly could not tell what the hackers did, because it had never kept records of who accessed the network. That is not an exotic failure. It is one of the most common findings in mid-market cyber diligence: systems that generate no usable log, environments where an intrusion could be reconstructed only if someone had been recording, and no one was. If a company the size of IBM allegedly ran a federal network this way, the odds that a 300-person acquisition target is doing better are not good. The first question in any technical diligence is not whether there has been an incident. It is whether the company would even be able to tell. In a large share of cases, the honest answer is no.

Then the disclosure reflex, which is the part that should reshape how acquirers weigh management representations. Every acquisition agreement contains reps and warranties in which the seller attests to the state of its security and its history of incidents. This complaint is a six-year, sworn allegation that a sophisticated company made exactly those kinds of assurances to its largest customer while allegedly knowing they were not true. The lesson is not that every seller is lying. It is that the assurance itself, the clean attestation, the “no known material incidents,” carries far less information than buyers have traditionally assigned to it, because the incentive to under-report is strong and the mechanisms to verify are weak. A representation is only as good as the logging and the independent testing behind it, and in this case the complaint alleges both were missing.

And then the marketing question, which applies to any vendor a board relies on. AT&T sold cybersecurity services while, per the complaint, allegedly failing to secure or disclose breaches of its own most sensitive systems. The existence of a security product line, a SOC, a threat-intelligence team, a glossy capabilities deck, tells you what a vendor sells. It does not tell you how the vendor runs its own house, and the two can diverge sharply. The only reliable signal is independent verification: not the vendor's assurance that it is secure, not its marketing, but evidence, produced by someone whose incentive is to find the problem rather than to sell past it.

The Stakes, Stated Plainly

Hold the caveats firmly. The allegations are unproven. The complaint is six years old. The government declined to intervene, and IBM says it followed the law. A court may ultimately find for the defendants on every count. None of that is decided here, and none of it should be assumed.

But the significance of the complaint does not actually depend on how it is resolved, because the surrounding facts are not in dispute. AT&T does operate CALEA wiretap infrastructure. That infrastructure was breached by a Chinese state group, by the government's own account. The Senate has said the telecoms cannot prove the hackers are gone. AT&T did build and market a major cybersecurity business. And the disclosure reflex the complaint describes, downplay, delay, decline to notify, is the same reflex visible across the other infrastructure stories of the season. The lawsuit did not invent that pattern. It documented one more, especially serious, instance of it, inside one of the few companies whose failures rise to the level of a national-security concern.

The country has spent years being told that its most sensitive networks are in capable, security-conscious hands. This complaint is a sworn allegation, from someone who held the title of vice president of threat intelligence, that in at least one of those hands the actual practice was to keep no logs, miss tens of thousands of intrusions, and dodge the NSA when it asked. Whether or not it is proven, it is the kind of claim that should change what a board, an acquirer, or a government accepts as evidence that a system is secure. The right response to “trust us, it's handled” was always “show me.” This is what it costs when no one does.

Read This With the Rest

This is one of five connected stories from a single sixty-day window in 2026. The cover analysis, Five Warnings in Sixty Days: The Keys to America's Infrastructure Are Not Being Held, connects all five and links to each of the detailed investigations.

Related Reading

• What is Vendor Risk Management?
• What is Incident Response?
• What is Attack Surface Management?