Red Hat Consulting, a provider of expert technical services to large enterprises, suffered a major breach by the extortion group **Crimson Collective**, linked to actors associated with **LAPSUS$** and **Scattered Spider**. The attackers exfiltrated **customer documentation, source code, proprietary consultancy reports, and sensitive assets**, including **.pfx private certificates** for entities like **ING Bank and Delta Airlines**. Over **32 million files** were compromised, affecting **more than 5,000 enterprise customers**, including high-profile organizations such as **HSBC, Walmart, NHS Scotland (via Atos Group), AIR, AMEX_GBT, and BOC**.The breach exposed **consultancy engagement reports, internal assets, and proprietary code**, posing severe risks of **fraud, intellectual property theft, and operational disruption**. The leaked data includes **highly sensitive credentials and certificates**, necessitating urgent remediation, including **credential rotation, security reviews, and incident response measures**. The scale and sensitivity of the stolen data suggest **long-term reputational damage, financial losses, and potential regulatory penalties**. Crimson Collective’s ties to **LAPSUS$**—known for high-impact attacks on telecoms and critical services—further escalate the threat severity, as the group has demonstrated a pattern of **targeting major service providers with systemic consequences**.
Source: https://gbhackers.com/red-hat-breach-impacts-5000-customers-data-at-risk/
TPRM report: https://www.rankiteo.com/company/red-hat
"id": "red4732847100725",
"linkid": "red-hat",
"type": "Breach",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '5,000+ enterprise customers',
'industry': 'IT Services',
'name': 'Red Hat Consulting',
'type': 'Technology Consulting Firm'},
{'name': 'AIR', 'type': 'Organization'},
{'industry': 'Financial Services/Travel',
'name': 'AMEX GBT',
'type': 'Travel Management Company'},
{'industry': 'Healthcare',
'location': 'UK (Scotland)',
'name': 'Atos Group (NHS Scotland)',
'type': 'IT Services/Healthcare'},
{'name': 'BOC', 'type': 'Organization'},
{'industry': 'Financial Services',
'name': 'HSBC',
'type': 'Bank'},
{'industry': 'Retail',
'name': 'Walmart',
'type': 'Retail Corporation'},
{'industry': 'Financial Services',
'name': 'ING Bank',
'type': 'Bank'},
{'industry': 'Aviation',
'name': 'Delta Airlines',
'type': 'Airline'},
{'industry': 'Telecom',
'name': 'Claro',
'type': 'Telecommunications Provider'},
{'industry': 'Telecom',
'name': 'Vodafone',
'type': 'Telecommunications Provider'}],
'attack_vector': ['Social Engineering (likely)',
'Insider Threat (possible)',
'Exploitation of Vulnerabilities (unconfirmed)'],
'customer_advisories': 'Enterprises should assume all stolen data may become '
'public; urgent action required for credential '
'rotation and security reviews.',
'data_breach': {'data_exfiltration': 'Yes (2.2 GB ZIP file leaked, with file '
'tree evidence)',
'file_types_exposed': ['.pfx (private certificates)',
'PDF (consultancy reports)',
'Source code files',
'Internal documents'],
'number_of_records_exposed': '32,000,000+ files (370,852 '
'directories, 3,438,976 files '
'initially leaked)',
'personally_identifiable_information': 'Likely (given the '
'nature of consultancy '
'reports and private '
'certificates)',
'sensitivity_of_data': 'High (includes private certificates, '
'PII, and proprietary enterprise data)',
'type_of_data_compromised': ['Customer Documentation',
'Source Code',
'Consultancy Reports',
'Private Certificates (.pfx)',
'Proprietary Code',
'Internal Assets']},
'date_detected': '2025-09-13',
'date_publicly_disclosed': '2025-09-13',
'description': 'An extortion group calling itself Crimson Collective claimed '
'responsibility for a major breach at Red Hat Consulting. The '
'attackers exfiltrated customer documentation, source code, '
'and other sensitive assets, including private certificates '
'for high-profile organizations like ING Bank and Delta '
'Airlines. The breach impacts over 5,000 enterprise customers, '
'with leaked files totaling over 32 million. Crimson '
'Collective, linked to LAPSUS$-associated actors, demonstrated '
"the breach's legitimacy by publishing sample consultancy "
'reports for seven organizations, including HSBC and Walmart.',
'impact': {'brand_reputation_impact': 'Severe (high-profile breach with '
'sensitive data exposure, including '
'major corporations like HSBC, Walmart, '
'and ING Bank)',
'data_compromised': ['Customer Documentation',
'Source Code',
'Consultancy Engagement Reports (CERs)',
'Private Certificates (.pfx)',
'Proprietary Code',
'Internal Assets'],
'identity_theft_risk': 'High (private certificates and internal '
'assets leaked)',
'legal_liabilities': 'Potential (due to exposure of sensitive '
'customer data, including PII and proprietary '
'information)',
'operational_impact': 'High (urgent credential rotation, security '
'reviews, and remediation required for '
'5,000+ enterprise customers)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (monitoring '
'advised for traded '
'copies)',
'high_value_targets': ['ING Bank',
'Delta Airlines',
'HSBC',
'Walmart',
'NHS Scotland (via Atos '
'Group)']},
'investigation_status': 'Ongoing (Red Hat under pressure to bolster security; '
'trial pending for linked actor Thalha Jubair)',
'lessons_learned': ['Extortion groups with minimal initial following can '
'rapidly escalate threats.',
'LAPSUS$-linked actors continue to target high-value '
'service providers (e.g., telecoms, consulting firms).',
'Private certificates and proprietary code are high-risk '
'targets for extortion.',
'Proactive monitoring of dark web/darknet markets is '
'critical post-breach.'],
'motivation': ['Financial Gain', 'Notoriety', 'Data Theft for Extortion'],
'post_incident_analysis': {'corrective_actions': ['Overhaul of Red Hat '
'Consulting’s security '
'measures for client data '
'protection.',
'Implementation of adaptive '
'behavioral WAF and network '
'segmentation '
'(recommended).',
'Enhanced monitoring for '
'anomalous access '
'patterns.'],
'root_causes': ['Potential insider threat or '
'social engineering (linked to '
'LAPSUS$ tactics)',
'Inadequate security controls for '
'high-value consulting assets',
'Lack of proactive dark web '
'monitoring for early threat '
'detection']},
'ransomware': {'data_exfiltration': 'Yes (primary extortion tactic)',
'ransom_paid': 'Discouraged (Red Hat advises against paying)'},
'recommendations': ['Rotate all certificates and credentials immediately.',
'Review and harden security configurations across all '
'systems.',
'Implement comprehensive incident response plans with '
'third-party support.',
'Avoid paying ransoms to prevent incentivizing further '
'attacks.',
'Monitor for leaked data on dark web forums and '
'marketplaces.',
'Strengthen internal controls, especially for consulting '
'firms handling sensitive client data.',
'Enhance employee training to mitigate insider threats '
'and social engineering risks.'],
'references': [{'source': 'Brian Krebs (Security Researcher)'},
{'source': 'Kevin Beaumont (Mastodon)'},
{'date_accessed': '2025-09-13', 'source': 'GBHackers (GBH)'}],
'regulatory_compliance': {'regulatory_notifications': 'Likely required (given '
'exposure of sensitive '
'customer data, '
'including EU-based '
'entities like ING '
'Bank)'},
'response': {'communication_strategy': ['Public disclosure',
'Client notifications',
'Ongoing updates via Kevin Beaumont '
'(Mastodon)'],
'containment_measures': ['Urgent credential rotation',
'Security configuration reviews'],
'enhanced_monitoring': 'Recommended for all affected '
'organizations',
'incident_response_plan_activated': 'Yes (Red Hat began '
'notifying affected clients)',
'remediation_measures': ['Comprehensive remediation plans for '
'affected customers',
'Monitoring for traded copies of stolen '
'data']},
'stakeholder_advisories': 'Affected organizations advised to contact Red Hat '
'Consulting support for list of stolen files and '
'remediation guidance.',
'threat_actor': 'Crimson Collective (linked to LAPSUS$ and Scattered Spider)',
'title': 'Red Hat Consulting Data Breach by Crimson Collective',
'type': ['Data Breach', 'Extortion', 'Unauthorized Access']}