Red Hat has suffered a security gapconfirmed by the company in a statement, which has affected one of its instances of Gitlab and that has resulted in the theft of about 570 GB of data, tablets, of 28,000 internal development repositories of the company, related to the company’s consulting area, Red Hat Consulting. The company’s github repositories have not been affected, as it was believed at first.
The stolen data also contain data from Red Hat customers. It is estimated that the attacking group, Crimson Collective, has been made with about 800 interaction reports with customers (CERS), in which there is sensitive information about customer platforms and networks. However, although Red Hat has confirmed the Ataqu, it has not done the same with the statement of the attackers about the cers of clients they have achieved.
A CER is a consultation document prepared by Red Hat for customers, which usually includes project specifications, example code pieces and different internal information about communications related to consulting services. The security gap, according to Bleeping Computer’s attackers, happened approximately two weeks ago.
The group of attackers has also published on Telegram a list of Gitlab repositories whose data has achieved, and a list of the CERS with which they have been supposedly made, ranging from 2020 to 2025. The list includes those of companies of all types of sectors and sizes. Among them, apparently, Bank of America, T-Mobile, Waltmart, Costco, the United States Representatives Chamber and the Federal Aviation Administration.
In addition to the statement, Red Hat has published a security update, in which they recognize that they have detected «Unauthorized access to an instance of Gitlab used for the internal collaboration of Red Hat Consulting in certain projects. After the detection, we immediately initiate an exhaustive investigation, we eliminate the access of the unauthorized part, we isolate the instance and put ourselves in contact with the competent authorities. Our research, which is still ongoing, has revealed that an unauthorized third party had accessed and copied some data from this instance. Now we have implemented additional reinforcement measures designed to help prevent new accesses and contain the problem«.
The company has also stressed that The Gitlab instance that they have accessed in the attack is used only by members of their consulting divisionand that the security gap has no impact on other Red Hat products, or its supply chain. In addition, they emphasize that the software they offer for discharge through their official channels is not affected either. Red Hat is already getting in touch with affected customers to share more information about which of their data may have been exposed.
