Consulting firm says it paid hackers ransom to delete data of clergy abuse survivors

CNA Staff, May 29, 2025 /
13:12 pm

A California consulting firm that handles data of some clergy abuse cases says it paid hackers a ransom to delete data involving abuse survivors after a security breach earlier this year. 

The Emeryville, California-based Berkeley Research Group (BRG) offers corporate finance and economic consulting, including to Catholic dioceses in bankruptcy proceedings. In March the company suffered an incursion that exposed data of Catholic clergy abuse survivors in nearly a dozen bankruptcy lawsuits. 

Regulators were only informed of the breach at the end of April. The U.S. government earlier this month demanded the company provide information on each affected case as well as clarify why the company “delayed two months” before notifying trustees and whether or not the company has contacted federal law enforcement over the breach. 

In a letter last week, attorneys representing the Berkeley group responded to the government’s query, stipulating that the company “takes this matter very seriously” and that its response “has been robust and remains ongoing.”

Among other disclosures in the letter, the attorneys said that after the hacking incursion BRG “reached a settlement with the threat actor after careful consideration and with a primary focus on protecting the subjects of any implicated data.” 

The firm “received a destruction log and a representation by the threat actor that any data exfiltrated during the incident was deleted and will not be disclosed,” the letter states. 

The company said it has further utilized “experts” to monitor the internet, including the “dark web,” in order to “detect the dissemination of impacted data.” 

“Those experts have not identified any information suggesting that the threat actor has breached its representation,” the letter says. 

The company said there was no indication that clergy abuse victims were specifically targeted by the hacker. 

“The incident affected data across BRG, including many clients and data having nothing to do with the subject cases, or any bankruptcy matter,” the letter states. 

Addressing the delay between the discovery of the data breach and the notification of affected clients, the letter states that there were “numerous actions required before BRG could fully define the extent of the incident and understand its impact,” including a cataloging of the data stolen by the hackers. 

Among the bankruptcy cases affected by the data breach include those of the archdioceses of Baltimore and New Orleans as well as the dioceses of Albany and Rochester, among others.

The company is also handling cases involving the Archdiocese of Milwaukee, the Diocese of Wilmington, the Diocese of Camden, and several others, though it said in its letter this month that based on its review, “no data was exfiltrated [in those cases] that would warrant disclosure.”

The Berkeley group “does not intend to seek recovery of costs of the incident investigation or ransom payment” from its clients, the letter states.