A company that sells cybersecurity to the US government while hiding its own breaches at the same time. That, in short, is the accusation a former senior IBM executive is putting on the table - and not on a forum, but as a formal whistleblower complaint.

William Barlow, until 2019 the vice president for threat detection at IBM, claims the company covered up multiple breaches by Chinese hackers and failed to report them to the authorities. The most serious case concerns IBM's own network: between 2013 and 2016, a group linked to the Chinese government, known as APT 10, allegedly entered the systems over 56,000 times. The internal investigation, according to the complaint, found nearly 400 compromised accounts and around 200 systems across 18 countries.

Barlow lists two more cases - the cybersecurity startup Trusteer and the healthcare company Truven, both bought by IBM, both allegedly breached with a superficial investigation and no real reporting. What's especially awkward: intelligence agencies from the five "Five Eyes" countries (the US, Britain, Canada, Australia and New Zealand) warned IBM about the intrusion as far back as March 2017.

IBM hits back short and cold: "This complaint was filed six years ago, and the US Department of Justice declined to get involved. IBM is confident that our actions were in accordance with the law." Translation: you proved nothing then, you won't prove anything now.

Barlow's lawyer puts a finger where it hurts most: "You can't sell cybersecurity to the federal government while you allegedly have those same security problems in your own company." Whether the court will agree is one question. The other, harder one, is how many other big names do the same - staying silent about their own holes while charging others to plug them.