The files we stole from you clearly fall under trade secret protections. You could face legal action under European Directive 2016/943 and United States Code, Title 18, Section 1836.
Red Hat is facing allegations of this nature, leveled by a cybercrime group. Behind the scenes, the compromise of one of its GitLab instances tied to its advisory services is at the heart of the matter.
The group has admitted to data exfiltration. They claim, among other things, that this includes project specifications, code fragments, internal communications, and contact information.
A Potential Mountain of Infrastructure Secrets
The cybercriminals in question go further. With samples to back their claims, they assert they have stolen, among other things:
- Authentication tokens and API keys
- Ansible playbooks and OpenShift blueprints
- Results from security audits
- Inventories, VPN profiles, network topologies, etc.
There are tens of terabytes of data (570 GB compressed) spread across roughly 28,000 repositories. A directory tree published alongside the data samples suggests about 800 Red Hat client organizations are affected.
Red Hat Under Pressure Over Trade Secrets and Personal Data
Crimson Collective and SLSH date the attack to September 13. They claim to have contacted Red Hat… and were told in return to follow the vulnerability disclosure procedure.
Thousands of files include a CONFIDENTIALITY.md document explicitly stating that the related files must be treated as confidential, with access restricted to Red Hat and the client. It is in this context that Crimson Collective and SLSH threaten legal action. Not without noting a shortcoming in personal data protection—the data they stole includes personal information.
That intimidation tactic is also being used against Salesforce at the moment, which faces the same deadline as Red Hat: October 10, 2025. The world’s leading CRM provider likewise confronts the potential leakage of several terabytes of data. Apparently the result of the aggregation of multiple campaigns since spring 2024, involving a range of attack methods—from vishing to the compromise of third-party applications.
