Nissan Discloses 21,000 Customers Exposed in Red Hat GitLab Breach

Japanese automaker Nissan has confirmed that personal information of approximately 21,000 customers was stolen after threat actors compromised a GitLab instance managed by Red Hat Consulting. The breach, detected in late September, is part of a larger attack that allegedly affected dozens of major enterprises whose code and data resided on Red Hat infrastructure.

TL;DR

• What happened: Attackers breached Red Hat's self-managed GitLab servers in September 2025, stealing data from 28,000 private repositories
• Who's affected: 21,000 Nissan Fukuoka customers; potentially customers of Bank of America, T-Mobile, and other major organizations
• Severity: Medium-High - Personal data including names, addresses, phone numbers exposed
• Action required: Affected Nissan customers should monitor for phishing attempts and review credit reports

What Happened?

Red Hat detected unauthorized access to its GitLab instances on September 26, 2025. The attackers, operating under the name "Crimson Collective," had already exfiltrated significant amounts of data. Two days earlier, on September 24, the group posted proof of access to a Telegram channel—including a complete file tree, certificate lists, and screenshots from inside the environment.

Nissan received notification of the breach on October 3. The automaker immediately reported the incident to Japan's Personal Information Protection Commission and began assessing the scope of customer impact.

The stolen Nissan data belonged to customers of Nissan Fukuoka Sales (formerly Fukuoka Nissan Motor), a regional dealership. Information compromised includes names, addresses, phone numbers, and partial email addresses. Nissan confirmed that no payment card data was taken.

How Big Was the Red Hat Breach?

Crimson Collective claims to have stolen 570GB of compressed data from 28,000 private repositories on Red Hat's GitLab infrastructure. The group published a list of allegedly compromised Customer Engagement Requests (CERs) dating back to 2020.

If accurate, the scope is alarming. Organizations appearing on Crimson Collective's list include Bank of America, T-Mobile, AT&T, Fidelity, Kaiser Permanente, Mayo Clinic, Walmart, Costco, the U.S. Navy's Naval Surface Warfare Center, the Federal Aviation Administration, and the House of Representatives.

Red Hat has not publicly confirmed the full extent of the breach or which customers were affected. The company told reporters it is "working directly with impacted customers" but declined to provide specifics.

Shortly after the initial claims, Crimson Collective announced they had partnered with "Scattered Lapsus$ Hunters"—an offshoot connected to the ShinyHunters collective—to extort IBM-owned Red Hat. The outcome of any ransom negotiations remains unknown.

Third Major Breach for Nissan in Three Years

This incident adds to a troubling pattern for Nissan's cybersecurity posture. In May 2024, the company disclosed that attackers had stolen personal information from over 50,000 North American employees during a November 2023 intrusion. Two months before that, Nissan's Oceania division confirmed the Akira ransomware gang had exfiltrated data on more than 100,000 Australian and New Zealand customers.

Supply chain and third-party breaches now account for 30% of all data breaches, according to Verizon's 2025 Data Breach Investigations Report—double the rate from just two years ago. The Red Hat incident underscores how organizations can be exposed through vendors they may not even directly engage.

Nissan's relationship with Red Hat was indirect. The GitLab instance was maintained by Red Hat Consulting for a former Nissan dealer, creating a chain of custody that likely complicated breach detection and response.

What This Means for Supply Chain Security

The Red Hat breach represents a worst-case scenario for supply chain security. GitLab instances often contain source code, configuration files, credentials, and customer data—everything an attacker needs for follow-on compromises.

Organizations frequently grant consulting partners elevated access to accelerate project delivery. When those partners centralize client data on shared infrastructure, a single breach can cascade across dozens of unrelated companies.

The incident also highlights gaps in breach notification. Nissan customers were exposed in September but didn't learn of the breach until late December—a three-month gap during which attackers could have exploited the stolen data for targeted phishing or identity fraud.

Frequently Asked Questions

How do I know if my data was in the Nissan breach?

Nissan is directly notifying affected individuals. The breach specifically impacted customers of Nissan Fukuoka Sales in Japan. If you're a Nissan customer in other regions, this particular incident did not affect your data—though the company has experienced separate breaches affecting North American and Oceania customers.

What should affected customers do?

Monitor for phishing emails that reference your Nissan relationship or contain accurate personal details. Review your credit reports for unauthorized accounts. Consider placing a fraud alert with credit bureaus if you're concerned about identity theft.

Were other companies' customers affected?

Potentially. Crimson Collective claims to have stolen data from repositories belonging to major enterprises including financial institutions and government agencies. Those organizations have not publicly confirmed or denied impact. If you're a customer of any company that uses Red Hat consulting services, watch for breach notifications.