Wednesday, May 14, 2025
Latest:
News

Ransomware Breach at Advisory Firm Exposes Data in U.S. Catholic Church Sex-Abuse Bankruptcies

seanhackacademy

Hacker infiltrates Berkeley Research Group; sensitive victim information potentially at risk

A sophisticated ransomware attack on Berkeley Research Group (BRG)—the financial adviser overseeing dozens of Catholic diocesan bankruptcy cases—has compromised data tied to sex-abuse victims nationwide. Court filings reveal that the breach, detected in early March, reached files from Chapter 11 proceedings in Baltimore, New Orleans, San Francisco, San Diego and at least eight other jurisdictions.

BRG’s preliminary analysis shows the attacker accessed internal systems by masquerading as an IT technician during a Microsoft Teams chat, then deployed a variant of Chaos ransomware. The hacker demanded—and received—an undisclosed payment in exchange for a “destruction log” pledging that stolen data would be wiped. Whether personally identifiable information on survivors was removed or copied before that deletion remains under investigation.

Justice Department presses for answers

The U.S. Trustee Program, which polices conflicts and misconduct in federal bankruptcy courts, has asked BRG to explain:

  • Why six weeks elapsed between discovering the intrusion and notifying courts and creditors.

  • What specific data sets were stolen, including any lists containing victims’ names or claim details.

  • How the breach affects BRG’s role and whether millions in advisory fees should now be forfeited.

In a letter filed this week, government lawyers called the incident “particularly troubling” because abuse-claim spreadsheets are among “the most sensitive and confidential” records in any bankruptcy docket.

BRG’s response and remediation steps

During a Thursday hearing, BRG counsel Timothy Karcher told U.S. Bankruptcy Judge Meredith Grabill that the firm “acted swiftly,” isolating affected servers, resetting credentials and installing SentinelOne endpoint monitoring. BRG also hired Booz Allen Hamilton to conduct a forensic review and reported the matter to the FBI.

“As of today, we have found no evidence that compromised materials have been leaked or sold,” BRG said in a written statement, adding that it “takes client confidentiality extremely seriously.”

Still, cyber-security specialists caution that destruction logs provided by attackers offer no guarantee. “Once data leaves your perimeter, control is effectively lost,” said Jon DiMaggio, chief security strategist at Analyst1. “Even if hackers delete one copy, they can retain another for future leverage.”

Why diocesan bankruptcies are prime targets

More than 30 U.S. dioceses have sought Chapter 11 protection over the past decade to manage civil litigation costs tied to clergy abuse. Bankruptcy rules force dioceses to list every pending claim, often including the victim’s name, age at the time of abuse and brief narrative descriptions. Courts typically seal those exhibits, but financial advisers such as BRG receive unrestricted copies to calculate settlement ranges.

A leak of that data could retraumatise survivors and expose them to harassment. In 2023, the Diocese of Norwich, Conn., paid $6.45 million after a spreadsheet of 100 abuse victims was accidentally filed on the public docket.

Ransomware economics add pressure

Cyber-insurance carrier Coalition reported average payouts of $292,000 to ransomware gangs last year, but attacks on professional-services firms can command higher sums because they store troves of third-party information. BRG has not disclosed its payment amount or whether insurance covered the loss.

Industry observers say advisory shops are attractive because they juggle data from multiple clients. “Hack one consultancy and you effectively compromise every organisation it serves,” noted Chester Wisniewski, field CTO at Sophos.

Next steps in court

Judge Grabill gave BRG two weeks to file a detailed incident timeline and an inventory of affected documents. The U.S. Trustee signalled it may seek sanctions—or the return of fees—if the firm can’t prove it adequately safeguarded estate data.

Survivor advocacy groups are monitoring closely. “These bankruptcies are supposed to protect victims and help them heal,” said Zach Hiner, executive director of SNAP, a national support network for clergy-abuse survivors. “A breach like this adds fresh fear that their most private experiences could be dragged into the open.”

Broader implications

The event adds to a string of 2025 ransomware strikes against law firms, accountants and restructuring advisers, underscoring how third-party vendors can become weak links in sensitive legal proceedings. As investigations continue, dioceses, creditors’ committees and judges will weigh whether tighter cyber-due-diligence requirements should be baked into future bankruptcy engagements.

For now, BRG faces a dual challenge: reassuring courts that victims’ data remains safe while persuading federal watchdogs it can continue steering some of the nation’s most emotionally charged bankruptcies.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *