--- title: "Red Hat Confirms GitLab Breach Targeted Consulting Division Only" date: 2025-10-03 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2025/10/red-hat-confirms-gitlab-breach.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # Red Hat Confirms GitLab Breach Targeted Consulting Division Only Red Hat has confirmed a security breach affecting one of its GitLab instances, exposing data tied to its consulting division after a cybercrime group claimed responsibility for the intrusion. ## Quick Summary – TLDR: - Red Hat confirmed a breach of a GitLab instance used solely by its consulting team - Cybercriminal group Crimson Collective claims to have stolen 28,000 internal repositories - Exposed files may include sensitive data like network details, credentials, and customer engagement reports - Red Hat states the attack does not affect its products, GitHub, or broader software supply chain ## What Happened? Red Hat, a leading provider of open-source enterprise solutions and an IBM subsidiary, has acknowledged a breach in one of its internal GitLab instances. The breach, [confirmed](https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance) by Red Hat, involves a server used exclusively for consulting projects and not related to [GitHub](https://sqmagazine.co.uk/github-statistics/) or Red Hat’s core product infrastructure. A [cybercrime](https://sqmagazine.co.uk/cybercrime-statistics/) group calling itself **Crimson Collective** claims to be behind the attack. > Security update: Incident related to Red Hat Consulting GitLab instance > > — Red Hat (@RedHat) [October 2, 2025](https://twitter.com/RedHat/status/1973834145009635761?ref_src=twsrc%5Etfw) ## Breach Involved 28,000 Internal Repositories The breach, first reported by members of the cybersecurity press, stems from an unauthorized access incident in Red Hat’s self-managed GitLab Community Edition instance used internally by its Consulting division. According to **Crimson Collective**, they extracted **approximately 570GB of compressed data** containing over **28,000 private repositories**, many of which held **Customer Engagement Reports (CERs)**. These CERs often include: - **Project infrastructure details**. - **Configuration data**. - **Authentication tokens and database URIs**. - **Internal code snippets and communications**. Red Hat confirmed that such reports were part of the compromised content but stated that these typically do **not contain sensitive personal information**. So far, no personal data has been identified in the ongoing investigation. ## Claims and Fallout Crimson Collective publicly listed affected entities on Telegram, showcasing a broad spectrum of clients allegedly exposed in the incident. The list includes high-profile names such as: - Bank of America - Walmart - T-Mobile - Mayo Clinic - The U.S. Navy - Federal Aviation Administration - The House of Representatives The hackers allege that by analyzing exposed CERs and code, they obtained credentials and tokens that could lead to **downstream compromise of customer networks**. They attempted to contact Red Hat for an extortion deal, but received only a templated reply directing them to submit a vulnerability report. The hackers claim the ticket was passed among Red Hat’s legal and security teams without a direct response. ## Red Hat’s Response and Remediation In its official statement and security update, Red Hat stated: “ Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Red Hat Official Statement Red Hat emphasized that: - The GitLab instance was **not connected to any Red Hat product or GitHub presence**. - **The company’s software supply chain remains secure**. - **No indication of broader Red Hat product compromise has been found**. As a precaution, **additional hardening measures** have been implemented and **affected customers are being contacted directly**. Red Hat also noted that the instance is used only for certain consulting engagements, limiting the scope of exposure. Meanwhile, the **Centre for Cybersecurity Belgium (CCB)** issued a warning, stating that the breach poses **a high risk to organizations using Red Hat Consulting**. They flagged the potential for stolen credentials and configuration data to be used in follow-on attacks. ## SQ Magazine’s Takeaway I think this incident serves as a critical reminder that **even internal collaboration tools need robust security practices**. While it’s reassuring that Red Hat quickly isolated the [data breach](https://sqmagazine.co.uk/data-breach-statistics/) and protected its core systems, the fact that customer engagement data was stolen is concerning. **Trust is everything in enterprise software**, and even if personal data wasn’t exposed, the idea that infrastructure blueprints or tokens might be out there should put everyone on alert. I hope Red Hat brings more transparency as they learn more.