Consulting Firm Says It Paid Hackers Ransom to Delete Data of Clergy Abuse Survivors
A California-based consulting firm, Berkeley Research Group (BRG), has come under fire for paying a hacker ransom to delete data involving clergy abuse survivors. The company, which provides corporate finance and economic consulting services, including to Catholic dioceses in bankruptcy proceedings, suffered a security breach earlier this year that exposed sensitive information.
A Security Breach Exposed Sensitive Information
In March, BRG's systems were compromised, revealing data from nearly a dozen bankruptcy lawsuits involving clergy abuse cases. The breach was not discovered until the end of April, when regulators informed the company of the incident. Since then, the US government has demanded that BRG provide information on each affected case and clarify its response to the breach.
A Ransom Payment Was Made
According to a letter sent by BRG's attorneys, the company paid a ransom to the hacker in an effort to protect the sensitive information. The firm stated that it "reached a settlement with the threat actor after careful consideration and with a primary focus on protecting the subjects of any implicated data."
Terms of the Ransom Payment
The company received a destruction log and a representation from the hacker that any data exfiltrated during the incident was deleted and will not be disclosed. BRG has also utilized experts to monitor the internet, including the "dark web," in order to detect the dissemination of impacted data.
Impact on Affected Clients
The company stated that there is no indication that clergy abuse victims were specifically targeted by the hacker. The breach affected data across BRG, including many clients and information unrelated to the subject cases or bankruptcy matters.
Delay in Notification of Affected Clients
BRG acknowledged a delay between the discovery of the data breach and the notification of affected clients. According to the company, numerous actions were required before BRG could fully define the extent of the incident and understand its impact.
Cases Affected by the Breach
The bankruptcy cases affected by the data breach include those of the archdioceses of Baltimore and New Orleans, as well as the dioceses of Albany and Rochester, among others. BRG is also handling cases involving the Archdiocese of Milwaukee, the Diocese of Wilmington, the Diocese of Camden, and several others.
No Intention to Seek Recovery
The company stated that it does not intend to seek recovery of costs associated with the incident investigation or ransom payment from its clients. BRG's response to the breach has been described as "robust and remains ongoing."