Cybercrime
,
Fraud Management & Cybercrime
28,000 Customers, Including Banks and US Government Agencies, Appear to Be Affected

Commercial Linux distribution producer Red Hat is warning that attackers stole customer data from its consulting arm.
See Also: Why Cyberattackers Love ‘Living Off the Land’
“We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements,” Red Hat said in a Thursday alert about a “security incident.”
Red Hat said the breach didn’t appear to compromise anything pertaining to its products, supply chain or other services. “We have now implemented additional hardening measures designed to help prevent further access and contain the issue,” it said.
IBM acquired Red Hat in 2019 for $34 billion, which was then the largest software acquisition in history.
The security incident came to light Wednesday when a group calling itself “Crimson Collective” said on a Telegram channel it launched on Sept. 24 that it breached Red Hat’s GitHub repositories and posted file trees. The group claimed to have stolen about 570 gigabytes of data from over 28,000 projects pertaining to individual customers, including approximately 800 customer engagement reports generated from 2020 through this year.
News of the breach was first reported by BleepingComputer.
Red Hat said it launched an investigation and blocked the attacker’s access. “Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance,” it said.
The Raleigh, North Carolina-based firm, which produces Red Hat Enterprise Linux, said it’s directly contacting all affected customers. “While our analysis remains ongoing, we have not identified sensitive personal data within the impacted data at this time,” it said, noting the probe is ongoing.
“The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets and internal communications about consulting services,” it said. “This GitLab instance typically does not house sensitive personal data.”
Based on a review of what attackers have leaked, the breached data does include “credentials, CI/CD secrets, pipeline configs, VPN profiles and infrastructure blueprints,” said cybersecurity analysts tied to the International Cyber Digest channel on social platform X.
The exposed customer engagement reports may also pose a risk. “CERs are formal documents that summarize the activities, findings, recommendations and outcomes of a consulting project or engagement between a consultant or consulting firm and a client,” said cybersecurity firm ZeroFox. “CERs are likely of interest to threat actors, as they typically contain a host of personally identifiable information such as full names, email addresses and phone numbers – all of which are highly sought after data used to conduct various social engineering campaigns.”
A full file tree published by the attackers to paste site paste.to
lists 3M, Accenture, Adobe, ADP, BNP Paribas, Boeing, Cisco, Citi, Deloitte, HSBC, IBM, NTT, O2, Sony, T-Mobile, UPS and Verizon as victims, among many others.
The claimed list of victims also includes numerous U.S. federal civilian and military agencies, including the Air Force, Customs and Border Protection, Department of Homeland Security and Federal Aviation Administration, as well as the U.S. Senate’s sergeant at arms.
British cybersecurity expert Kevin Beaumont said in a post to social network Mastodon that the 570GB of data stolen by attackers was compressed, and that it comprises about one terabyte of actual data.
Any data leaked by attackers could pose further risks to Red Hat and customers. “Exposure of internal repositories will very likely reveal proprietary code and security controls across Red Hat’s products and services, which would almost certainly enable threat actors to identify further exploitable weaknesses,” ZeroFox said.
Crimson Collective
The Crimson Collective group first emerged with its Sept. 24 Telegram channel launch.
Seven days later, when it announced the Red Hat breach, the group also claimed to have defaced Nintendo’s website, “likely to promote their operations,” said cybersecurity firm SOCRadar.
The next day, the group listed Claro Colombia, a telecommunications provider based in that country, as a victim, claiming “the theft of more than 50 million client invoices, as well as financial files, Salesforce records, phone call logs and internal developer repositories,” SOCRadar said.
“The Crimson Collective exploits misconfigured cloud storage – e.g., AWS S3 buckets, exposed secrets in codebases and vulnerable web applications,” said the analysts at International Cyber Digest. “They focus on data exfiltration and extortion, using Telegram to leak samples and pressure targets. Their operations blend ‘ethical’ warnings with profit-driven demands, though no specific malware or tools have been identified.”
Not Tied to CVE-2025-10725
In its Thursday security alert, Red Hat said the consulting data breach has no relation to the security alert it issued Wednesday, pertaining to a Red Hat OpenShift AI vulnerability, assigned CVE-2025-10725.
The Openshift AI Service is a platform for managing large language models, enabling data acquisition, as well as training, serving and monitoring LLMs.
“A low-privileged attacker with access to an authenticated account” could exploit the vulnerability to “escalate their privileges to a full cluster administrator,” posing risks to the information being stored. “The attacker can steal sensitive data, disrupt all services and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it,” Red Hat said.