BALTIMORE — A data breach that exposed confidential information about survivors of sexual abuse within the Archdiocese of Baltimore has not resulted in the data appearing online, according to attorneys for the consulting firm that was hacked.

The breach was first discovered in March at Berkeley Research Group, which serves as a financial adviser for more than 1,000 survivors with claims in the archdiocese’s ongoing bankruptcy proceedings.

The California consultant, which is also involved in several other Catholic Church bankruptcy cases, informed federal bankruptcy court in late April that the extent of the leaked data remained unclear. However, the firm reported it had reached a settlement with the hackers — referred to in court filings as “threat actors” — who say they have deleted the stolen data.

Attorneys from Proskauer Rose LLP, representing Berkeley, confirmed that the firm received a “destruction log” from the hackers, indicating the data had been erased. Despite this, Berkeley continues to assess whether any data might have been exposed or shared.

The U.S. Trustees Program has questioned whether the destruction actually happened, suggesting that Berkeley was “relying on the assurances of extortionists.”

“BRG has found no indication that any data that was potentially exfiltrated in the Incident has been distributed to anyone, and BRG has no reason to believe that the threat actor retained the data,” attorney Timothy Karcher wrote in a Friday letter to Nan Roberts Eitel, associate general counsel for Chapter 11 Practice for the U.S. Trustees Program. “BRG will continue to monitor the situation, including monitoring the dark web for the foreseeable future, and the FBI’s investigation remains ongoing.”

In addition, Berkeley is currently working to “identify individuals whose personally identifiable information may have been exfiltrated.” The firm has not informed alleged sexual abuse victims that their names and other data might have been compromised, citing the “risk of providing potentially incomplete or inaccurate information.”

Hackers infiltrated Berkeley’s systems by impersonating internet technology staff during a Microsoft Teams call with an employee, according to a court filing. Once inside, they deployed ransomware that encrypted parts of the firm’s network and searched for terms like “sensitive files” and “backup files,” a report by an outside law firm stated.

Earlier this month, attorneys with the U.S. Department of Justice’s bankruptcy watchdog criticized Berkeley, saying its initial disclosure “raised more questions than it answered.” They questioned whether the company was responding to the breach with appropriate seriousness, even as the firm said it had contacted the FBI and was still assessing the damage.

The archdiocese filed for bankruptcy in 2023, after Maryland passed the Child Victims Act eliminating the statute of limitations for childhood sexual abuse lawsuits.

While the bankruptcy paused legal action, a judge ruled May 7 to temporarily allow lawsuits to proceed against hundreds of churches, schools and charities covered under the archdiocese’s insurance.

In the letter to the court, Berkeley argued it should not face penalties over the breach or its response.

“First, BRG respectfully rejects any suggestion of liability. BRG was the victim of the ransomware attack, not the perpetrator,” Karcher wrote. “To reiterate — BRG was the victim of a crime. That crime is being investigated by the Department of Justice.”

_____

(Baltimore Sun reporter Dan Belson contributed to this article.)

_____

©2025 Baltimore Sun. Visit baltimoresun.com. Distributed by Tribune Content Agency, LLC.