International Business Machines Corp. and AT&T Inc.’s computer systems were repeatedly breached by foreign hackers, and the companies concealed those intrusions from the US government in violation of the law, according to a lawsuit from a former IBM cybersecurity official.

William Barlow, IBM’s former vice president of threat intelligence, alleged in the complaint that the companies failed to disclose multiple breaches over years by attackers linked to foreign governments and made false assurances about the security of their systems in order to win and keep federal contracts.

The whistleblower complaint against IBM and AT&T was filed under seal in 2020 and is still pending before a federal court in New York. It was made public this week, after the US government declined to intervene in the case, and hasn’t been previously reported.

The suit offers a rare account of alleged security failures at two major government contractors. It raises questions about the protection of sensitive information on the networks, and about companies’ responsibility to disclose such compromises.

The hackers allegedly breached massive IBM cloud computing infrastructure that’s widely used by many parts of the US government, including the military. AT&T operates this “Core Network” on behalf of IBM, and the Dallas-based telecommunications company’s systems are part of them, according to the complaint.

The complaint alleges that foreign and unidentified hackers repeatedly infiltrated the network and that the companies sometimes couldn’t determine who got in, or what was taken. It also says IBM downplayed or concealed incidents before entering government agreements requiring it to certify it had no significant unresolved cybersecurity issues.

“This complaint was filed six years ago, and the US Department of Justice declined to intervene,” said IBM spokesperson Adam Pratt. “IBM is confident that our actions followed the letter of the law.”

Representatives of AT&T didn’t respond to requests for comment.

Barlow worked at IBM in two stints beginning in 2002, including serving as vice president of threat intelligence from 2017 until his resignation in 2019, according to the lawsuit. He was quoted in a 2018 New York Times report about IBM offering cyber trainings in a mobile command center built in a customized semitrailer truck. Since leaving the Armonk, New York-based company Barlow has maintained a profile in the security industry, attending conferences and giving talks.

Jason T. Brown, an attorney for Barlow, declined to discuss the circumstances of his client’s resignation or say whether the Justice Department has investigated the allegations in the False Claims Act suit. Government decisions to intervene in such cases often take years and federal officials choosing not to get involved doesn’t indicate the merit of a complaint, Brown said. He added that the allegations implicate billions of dollars of federal business with AT&T and IBM.

“We’re looking forward to aggressively litigating the matter,” said Brown, of the firm Brown, LLC. “You can’t sell cybersecurity to the federal government while allegedly having these security problem within your own company.”

In his suit, Barlow claimed he personally witnessed numerous breaches of IBM’s core network and was pressured by executives to soften internal reports and omit details. Barlow alleged he knew of specific instances where IBM senior management “actively took steps to cover up and conceal” hacks from US regulators and government clients.

“The data breaches are so large and the core networks so poorly designed that neither IBM nor AT&T knows exactly what data was breached, who breached the data, where the data was breached or whether any data was exfiltrated, altered and/or modified in any respect,” the lawsuit alleges.

The False Claims Act bars submitting false claims for payment to the US government. The law allows private whistleblowers to sue for alleged fraud against the government. Federal authorities may step in and effectively take control of such cases. The government can recover as much as three times its damages and whistleblowers can be awarded a portion of those damages.

A federal judge in New York ordered the suit be unsealed this spring after the US government declined to intervene. The court records don’t explain the government’s decision and Brown, Barlow’s attorney, said he didn’t know what motivated it.

The departments of Defense and Justice didn’t respond to emailed questions.