Cybersecurity Alert – Red Hat Security Incident

Impact: All Firms

FINRA member firms should be aware of a security incident involving Red Hat Consulting after threat actors breached a self-managed GitLab instance used by its consulting division. The breach exposed sensitive data about Red Hat customers—including configuration data, authentication tokens, infrastructure details and more—that could be abused to breach member firm customer networks. FINRA has identified a material number of member firms’ vendors appearing to have been impacted by this incident; with that in mind, FINRA recommends member firms not only share this Cyber Alert with appropriate information technology and information security personnel, but with firms’ third-party vendors as well. 

Note: FINRA also contacted firms that indicated through FINRA’s Third-Party Vendor Questionnaire a vendor relationship with Red Hat Consulting, or that FINRA identified as having a potential technology link with the vendor.

Summary

In October 2025, Red Hat confirmed a security incident after attackers breached a self-managed GitLab instance used by its consulting division. The attackers, identifying themselves as the “Crimson Collective,” claimed responsibility and began leaking the data.

Key techniques included:

• unauthorized access to the GitLab environment, enabling exfiltration of internal repositories;
• theft of approximately 570 GB of compressed data from over 28,000 repositories;
• exposure of around 800 Customer Engagement Reports (CERs), which contained sensitive details such as infrastructure details, configuration data, authentication tokens, and other information that could be abused to breach customer networks; and
• public posting of stolen repository listings and samples on Telegram channels.

The main goal appeared to be large-scale data theft and extortion, leveraging stolen credentials, configuration data and consulting documents for potential follow-on attacks.

Red Hat stated that upon detection, they “promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities.” Their ongoing investigation found an unauthorized third party had accessed and copied some data from this instance.

Red Hat also stated they have now implemented additional hardening measures designed to contain the issue and help prevent further access.

This incident highlights how self-hosted developer platforms can become high-value targets. Even when core products and managed services remain unaffected, adjacent environments like consulting GitLab instances can be exploited to harvest sensitive data and pressure organizations through leaks and extortion.

Recommendation to Protect Your Firm

To protect against this vulnerability, FINRA recommends member firms discuss with their critical vendors if the vendors have been impacted by the incident, and if so, determine if the firm’s data are potentially impacted and what steps the vendor has taken to remediate and contain the incident.

FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to:

• FINRA using the Regulatory Tip Form found on FINRA.org;
• the SEC using the Tips, Complaints, and Referrals form or by calling (202) 551-4790; and
• the FBI using its Internet Crime Complaint Center or by calling 1-800-CALLFBI (1-800-225-5324).

Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.

If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO), Chief Compliance Officer (CCO) and/or Chief Risk Officer (CRO) contacts in FINRA Gateway.