Nissan Customer Data Exposed via Red Hat GitLab Breach
Nissan Motor Co. confirmed that personal data of approximately 21,000 customers was compromised following unauthorized access to a Red Hat-managed server. The breach, detected in September, affected customers who purchased vehicles or received services at the former Nissan Fukuoka Motor Co. (now Nissan Fukuoka Sales Co.), exposing names, addresses, phone numbers, partial or full email addresses, and other sales-related customer information. No credit card or financial data was reported stolen, and Nissan has stated there is no evidence the leaked information has been misused, though customers are advised to remain vigilant for potential phishing or fraud attempts.
The incident originated from a breach of a dedicated GitLab instance managed by Red Hat Consulting, with the intrusion detected by Red Hat on September 26 and Nissan notified on October 3. The Crimson Collective threat actor initially claimed responsibility for the theft of hundreds of gigabytes of data from 28,000 private GitLab repositories, with ShinyHunters later hosting samples of the stolen data on their extortion platform. Nissan has apologized for the incident and pledged to strengthen monitoring of subcontractors and enhance information security measures in response to the breach.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Nissan publicly discloses breach affecting 21,000 customers
In December 2025, Nissan confirmed that approximately 21,000 customers of Nissan Fukuoka Sales Co., Ltd. were affected by the Red Hat breach. The company said names, addresses, phone numbers, and partial email addresses were exposed, while emphasizing there was no evidence of misuse and no operational disruption.
Threat actors publicize and extort over stolen Red Hat data
Following the breach, Crimson Collective publicly claimed responsibility and said it had stolen data from Red Hat's private GitLab repositories. ShinyHunters-linked actors were later reported to host sample data and use it for extortion.
Nissan reports the breach to Japan's privacy regulator
After being notified of the incident, Nissan reported the exposure to the Personal Information Protection Commission. The company said it continued investigating the scope and stated there was no evidence of misuse of the data at that time.
Red Hat notifies Nissan of customer data exposure
Nissan said it was informed on October 3 that data tied to Nissan Fukuoka Sales Co., Ltd. had been exposed through the Red Hat breach. The compromised information affected about 21,000 customers and included personal and sales-related data, but not financial or credit card information.
Red Hat detects unauthorized access to a managed server
Red Hat detected unauthorized access to a Red Hat-managed server and self-managed GitLab environment used by Red Hat Consulting. Threat actor Crimson Collective later claimed the intrusion involved theft of about 570 GB of data from private repositories.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
21K Nissan customers' data stolen in Red Hat raid
go.theregister.com
Open sourceRed Hat GitLab breach exposes data of 21,000 Nissan customers
securityaffairs.com
Open sourceNissan says thousands of customers exposed in Red Hat breach
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Red Hat GitLab Breach by Crimson Collective Exposes Sensitive Data and Credentials
Red Hat confirmed a significant security incident after hackers from a group calling themselves "Crimson Collective" breached the company's GitLab instance. The attackers reportedly exfiltrated nearly 570GB of data, including approximately 800 Customer Engagement Reports spanning from 2020 to 2025. These reports are believed to contain sensitive information such as infrastructure details, authentication tokens, database URIs, and other credentials that could potentially allow unauthorized access to customer networks. In addition to the reports, the attackers claim to have stolen 28,000 private repositories, which included credentials, CI/CD secrets, pipeline configurations, VPN profiles, and infrastructure blueprints. The breach has raised concerns about the exposure of confidential customer and internal Red Hat data, as well as the potential for downstream attacks leveraging the stolen information. Analysis of the leaked data suggests that the attackers obtained a wide array of sensitive materials that could be used for further exploitation or sold on underground forums. The incident highlights the risks associated with source code management platforms and the importance of securing CI/CD pipelines and repository access. Red Hat has acknowledged the breach and is conducting an internal investigation to assess the full scope and impact. The company is working with affected customers to mitigate risks and has likely initiated incident response protocols, including credential rotation and infrastructure reviews. Security experts warn that the exposure of such a large volume of sensitive data could have long-term repercussions for both Red Hat and its customers, especially if the information is weaponized by other threat actors. The breach underscores the need for robust access controls, regular security audits, and rapid response capabilities in managing source code and customer data. Industry observers are closely monitoring the situation for signs of further exploitation or public release of the stolen data. The incident serves as a stark reminder of the evolving threat landscape and the persistent targeting of technology vendors by sophisticated cybercriminal groups. Organizations are advised to review their own security postures, especially regarding third-party software providers and supply chain dependencies, in light of this breach.
Mar 21, 2026
Everest Ransomware Group Claims Nissan Data Breach and Extortion Deadline
The **Everest ransomware group** claimed it breached **Nissan Motor Corporation** and stole data, posting alleged proof on its dark web leak site. The actors shared **six screenshots** and a directory listing that appear to show internal file storage and records, including documents and data extracts in formats such as `.csv`, `.txt`, and `.xls` (with additional file types like `.pgp` referenced). The material shown includes references to dealership information, certification reports, and claims processing; one screenshot reportedly shows a spreadsheet with dealership names and locations. Everest issued Nissan a **five-day ultimatum** to respond, threatening to publish the allegedly stolen data if the company does not engage. The screenshots do not visibly expose sensitive personal data, but the folder names and file types suggest access to operational systems and internal documentation that could enable further exploitation or data mining. Reporting also contextualized the claim against Nissan’s prior exposure to ransomware activity, including a 2025 claim by **Qilin** involving a Nissan-related entity, underscoring continued targeting of large automotive organizations by extortion-focused groups.
Apr 7, 2026
Red Hat GitLab Data Breach and Extortion by Crimson Collective and ShinyHunters
Red Hat, a leading enterprise software provider, confirmed a significant cyberattack resulting in unauthorized access to one of its GitLab instances. The breach was initially claimed by a hacking group known as Crimson Collective, who stated they had exfiltrated approximately 570GB of compressed data from Red Hat's internal development repositories. Among the stolen data were around 800 Customer Engagement Reports (CERs), which contain sensitive infrastructure and authentication details for numerous organizations across various sectors. Red Hat clarified that the compromised GitLab instance was used exclusively for Red Hat Consulting engagements, but the exposure of CERs poses a substantial risk to affected customers. Following the breach, Crimson Collective attempted to extort Red Hat, demanding a ransom to prevent the public disclosure of the stolen data. When Red Hat did not respond to these demands, Crimson Collective escalated their efforts by partnering with the ShinyHunters extortion group. ShinyHunters subsequently listed Red Hat on their newly launched data leak site, threatening to release the stolen data publicly if their ransom demands were not met by October 10th. The extortion campaign was further publicized through posts on Telegram, where the threat actors boasted about their alliance and intentions to target corporations. The incident highlights the growing trend of collaboration among cybercriminal groups to maximize pressure on victims and increase the likelihood of ransom payments. The breach also underscores the risks associated with third-party and internal development platforms, as attackers increasingly target these environments for valuable data. Red Hat's confirmation of the breach and the nature of the compromised data has raised concerns among its customers, particularly those whose sensitive information may now be at risk of exposure. The attack is part of a broader pattern of ransomware and extortion operations targeting high-profile technology companies. Security researchers have noted that the professionalization and convergence of cybercrime groups, as seen in this incident, are making such attacks more sophisticated and damaging. The Red Hat breach serves as a warning to organizations to strengthen their security posture around development environments and to prepare for the possibility of multi-stage extortion campaigns. The incident also demonstrates the importance of timely communication and transparency with affected stakeholders in the aftermath of a breach. As the deadline for the public release of the stolen data approaches, Red Hat and its customers face heightened risks of data exposure, reputational damage, and potential regulatory scrutiny. The evolving tactics of groups like Crimson Collective and ShinyHunters signal a challenging threat landscape for enterprises worldwide.
Mar 21, 2026