The ransomware group Crimson Collective has claimed to have stolen 570 GB of data from 28,000 internal Red Hat repositories. Company representatives confirmed that one of its GitLab instances was breached.
The attackers report that the stolen data includes about 800 CER reports (Customer Engagement Reports), which contain confidential information about customers’ networks and platforms.
CER reports are consulting documents prepared for clients and often contain infrastructure details, configuration data, authentication tokens, and other information that could be used by attackers to carry out attacks.
Red Hat representatives have confirmed that they experienced a cyber incident that affected the company’s consulting business.
“Red Hat is aware of claims regarding a cyber incident involving our consulting business, and we have taken all necessary steps to address the issue,” Red Hat told Bleeping Computer. “The security and integrity of our systems, as well as the data entrusted to us, are our top priority. At this time, we have no reason to believe that the security issue has affected any other Red Hat services or products, and we are confident in the integrity of our software supply chain.”
Red Hat confirmed that the incident is linked to the breach of a GitLab instance used exclusively by Red Hat Consulting—that is, for consulting projects.
At the same time, hackers from Crimson Collective told reporters that the breach occurred about two weeks ago. According to the attackers, they found authentication tokens, full database URIs, and other private information in the Red Hat and CER code, which they allegedly already used to gain access to customers’ infrastructures.
On its Telegram channel, the group published a complete list of directories allegedly stolen from GitLab repositories, as well as a list of CERs from 2020 to 2025. The CER list includes many well-known organizations, including Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the Naval Surface Warfare Center, the Federal Aviation Administration, the U.S. House of Representatives, and so on.
The hackers said they tried to contact Red Hat to demand a ransom but received only a template email with instructions on how to submit a vulnerability report to the company’s security team. According to the attackers, the ticket they created was repeatedly forwarded to other employees, including Red Hat’s lawyers and security specialists.
As the publication notes, the Crimson Collective group also claimed responsibility for the brief defacement of a Nintendo website page last week. The hackers posted their contact information there and a link to a Telegram channel.