Firm in Baltimore Archdiocese bankruptcy case says stolen data was deleted after cyber breach

A financial advisory firm working on multiple church bankruptcy cases, including the Baltimore Archdiocese, said it has not found evidence that data stolen in a cybersecurity breach has appeared online.

In a letter dated Friday, Timothy Karcher, a partner at Proskauer Rose LLP, stated on behalf of Berkeley Research Group LLC that the company made a payment to the "threat actor" and obtained a "destruction log" along with an assurance that the data had been deleted.

The firm said the FBI is also investigating the breach, and has not found evidence that the perpetrators sought out data related to the 12 bankruptcy cases that relate to sexual abuse.

BRG reports cyberattack

When BRG announced the breach, the company said it impacted at least ten bankruptcy proceedings involving dioceses and archdioceses nationwide, including Baltimore, Albany, Rochester, and Utica, New York, and several in California.
BRG said the number of potential people exposed was unclear.

The DOJ requested additional details from BRG regarding the breach and the company's response to it. They asked for the case name, number, and district for each confirmed individual involved, as well as any other suspected cases. The DOJ also inquired whether potential victims had been informed and sought an explanation for the nearly two-month delay between BRG discovering the breach on March 2 and notifying the U.S. Trustee Program on April 28.

In Friday's letter, BRG said it remains committed to providing updates about the scope of the crime.

"While it has been mistakenly suggested that BRG believed that filing the Incident Notice would be its only post-Incident communication with stakeholders, nothing could be further from the truth. BRG has appeared, through counsel, at a number of status conferences in the Subject Cases and will do so at several more status conferences scheduled in the coming weeks," the letter reads.

The company said that after the attack, it retained a cyber counsel team at Octillo Law, and an incident response team at Booz Allen Hamilton to investigate the attack, and help mitigate harm.

BRG added that it will continue to provide information to the Office of the United States Trustee and the parties impacted as the investigation goes on and more information becomes available.
The FBI's investigation may restrict BRG from sharing information that could compromise the investigation, Karcher wrote.

Baltimore Archdiocese sex abuse case

In 2023, the Maryland Attorney General reported evidence that over 600 children were abused by at least 165 priests, teachers, and other employees under the supervision of the Baltimore Archdiocese.

After the Child Victims Act, which eliminated the statute of limitations for survivors of child sexual abuse, was signed into law, victims filed a lawsuit alleging that the Baltimore Archdiocese is responsible for more than 1,000 claims of sexual assault — but has attempted to avoid compensating victims.

Although the Child Victims Act initially allowed survivors to seek up to $890,000 per abuse claim, the Child Victims Act, passed in April by the Maryland General Assembly, lowered that limit. Starting June 1, 2025, compensation for sexual abuse claims will be capped at $400,000 for public institutions and $700,000 for private ones.