Crimson Collective Claims Theft of 570 GB of Data from Red Hat

The ransomware group Crimson Collective claims to have stolen 570 GB of data from more than 28,000 internal Red Hat repositories. Company representatives have confirmed that one of its GitLab instances was compromised.

According to the attackers, the stolen data includes approximately 800 Customer Engagement Reports (CERs), documents prepared for consulting clients that often contain sensitive details about networks, infrastructure, configurations, and even authentication tokens. Such information could be weaponized by malicious actors in follow-up attacks.

Red Hat’s Response

Red Hat acknowledged the incident and confirmed that it affected only its consulting business.

“Red Hat is aware of statements regarding a cyber incident related to our consulting business and we have taken all necessary steps to address the issue,” the company told Bleeping Computer. “The security and integrity of our systems, and the data entrusted to us, is our top priority. At this time, we have no reason to believe that the security issue has affected any other Red Hat services or products, and we are confident in the integrity of our software supply chain.”

The company emphasized that the breach was linked specifically to a GitLab instance used exclusively by Red Hat Consulting.

Hackers’ Claims

Meanwhile, Crimson Collective told journalists that the intrusion occurred about two weeks ago. They claim to have discovered authentication tokens, full database URIs, and other private information within Red Hat’s code and CERs—data they say has already been used to access client infrastructures.

On their Telegram channel, the group published what they describe as a full directory list of the stolen repositories and CERs dating from 2020 to 2025. The documents allegedly reference well-known organizations such as Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the Naval Surface Warfare Center, the Federal Aviation Administration, and the U.S. House of Representatives.

Failed Ransom Demands

The hackers also claimed they attempted to contact Red Hat with a ransom demand but received only a template email directing them to the company’s vulnerability reporting process. They allege that their ticket was passed between Red Hat lawyers and security specialists without further engagement.

Broader Activity

Crimson Collective has been linked to other recent activity. Last week, the group briefly defaced a Nintendo website page, posting their contact information and a link to their Telegram channel.