Qilin ransomware has listed the Church of Scientology on its dark web leak site, claiming responsibility for a breach and publishing 22 screenshots as proof of access. The group has not disclosed how much data it allegedly stole or how the breach took place.
Analysis of the leaked screenshots
The screenshots shared by Qilin point to internal access within Advanced Organisation Saint Hill UK (AOSH UK), one of the Church’s major hubs. Multiple documents show visa processing records for religious staff, including named individuals applying for UK Religious Worker visas.
Several approvals outline exact amounts allocated for immigration costs, including £2,600, £4,500 and £1,800 per person. One consolidated summary shows over £11,500 approved for multiple visa applications in a single funding cycle. These documents include dates, internal sign-offs, staff names, and departmental references, suggesting access to internal HR and finance workflows.
Another large portion of the leaked material relates to operational spending, mailing campaigns, and event logistics. One set of files details a £30,000 budget request for weekly letters, mass mailers to 4,000 recipients, calendar shipping, and holiday card distribution to 12,000 people.
Additional records authorise £6,351 for international mail fulfillment and postage. Event logistics documents list AV equipment purchases and rentals worth £6,000 for large-scale events, as well as £1,550 for TV screens, stands, and speakers for New Y
Source: https://hackread.com/qilin-ransomware-church-of-scientology-data-theft/
Church of Scientology International cybersecurity rating report: https://www.rankiteo.com/company/church-of-scientology-international
"id": "CHU1764893369",
"linkid": "church-of-scientology-international",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'Non-Profit/Religious',
'location': 'Global (specific breach at '
'Advanced Organisation Saint '
'Hill UK)',
'name': 'Church of Scientology',
'size': None,
'type': 'Religious Organization'}],
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Yes (screenshots published '
'as proof)',
'file_types_exposed': ['Documents',
'Spreadsheets',
'Internal approvals'],
'number_of_records_exposed': None,
'personally_identifiable_information': 'Yes '
'(names, '
'visa '
'application '
'details, '
'internal '
'sign-offs)',
'sensitivity_of_data': 'High (personally '
'identifiable '
'information, internal '
'financial records, visa '
'applications)',
'type_of_data_compromised': ['Visa processing '
'records',
'HR documents',
'Finance documents',
'Operational '
'spending details',
'Mailing campaign '
'budgets',
'Event logistics']},
'description': 'Qilin ransomware group listed the Church of '
'Scientology on its dark web leak site, claiming '
'responsibility for a breach and publishing 22 '
'screenshots as proof of access. The group has '
'not disclosed the amount of data stolen or the '
'breach methodology. Leaked screenshots indicate '
'access to internal HR, finance, and operational '
'workflows of Advanced Organisation Saint Hill UK '
'(AOSH UK), a major hub of the Church of '
'Scientology.',
'impact': {'brand_reputation_impact': 'High (public disclosure '
'of sensitive internal '
'documents)',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Visa processing records, HR and '
'finance documents, operational '
'spending details, mailing '
'campaign budgets, event '
'logistics',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High (exposure of named '
'individuals and visa '
'application details)',
'legal_liabilities': 'Potential (exposure of '
'personally identifiable '
'information and visa records)',
'operational_impact': 'Potential disruption to '
'internal HR and finance '
'workflows, event logistics, '
'and mailing campaigns',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (ransomware extortion)',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': 'Yes',
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': 'Qilin'},
'references': [{'date_accessed': None,
'source': 'Dark web leak site (Qilin ransomware)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': ['Potential '
'GDPR (if '
'EU/UK data '
'exposed)',
'Potential '
'data '
'protection '
'laws (UK)'],
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'threat_actor': 'Qilin',
'title': 'Qilin Ransomware Breach of Church of Scientology',
'type': 'Ransomware'}}