Recently, Qilin ransomware has claimed responsibility for a breach involving the Church of Scientology, asserting their actions by posting 22 screenshots on their dark web leak site. While they have not specified the extent of the data compromised or the methods employed to achieve the breach, the implications are significant.
Analysis of the Leaked Screenshots
The screenshots released by Qilin indicate internal access to the Advanced Organisation Saint Hill UK (AOSH UK), a key facility for the Church. The documents include visa application records for religious staff, featuring the names of individuals applying for UK Religious Worker visas. Details within these records reveal specific immigration costs, with allocations of £2,600, £4,500, and £1,800 per person. A consolidated summary highlights over £11,500 approved for multiple visa applications, showcasing access to internal human resources and financial documents.
In addition, the leaked content encompasses operational budgets, marketing campaigns, and logistics for events. Documents show a budget request of £30,000 destined for extensive mailing campaigns, prominent launches involving 4,000 letters, and the distribution of holiday cards to 12,000 recipients. Further financial records authorize £6,351 for international mailing services. Event logistical plans detail expenditures of £6,000 for audio-visual equipment and £1,550 for rented displays for New Year’s festivities, reflecting the group’s financial planning dynamics.
Security arrangements also feature prominently in the leaked materials. Spreadsheets outlining security budgets for the years 2024 and 2025 total nearly £100,000, detailing expenditures for patrol services, bomb detection dogs, and executive protection teams. Allocations include £74,326 for protecting executive personnel and hundreds for localized perimeter security, indicating a well-developed internal budgeting process rather than sporadic data gathering.
Financial invoices and banking information are additionally part of the data dump. A notable invoice from a Czech company demands €12,565 for self-improvement and communication counseling services, clearly displaying bank account details. Internal purchase orders further reveal funding for administrative supplies and organizational materials.
Notably, personal data of individuals connected to the Church is exposed. For instance, one document presents a “Saint Hill Services Questionnaire” that includes a participant’s handwritten information, such as names and intentions to join programs. Another spreadsheet titled “Latinoles Clear Band November 2025” lists individuals from South America, enclosing sensitive details like their names, contact numbers, and travel history, suggesting potential risks associated with the exposure of personal data.
Moreover, internal governance documentation reveals payment arrangements among members, underscoring the breach’s depth into sensitive administrative functions. The absence of login credentials in the displayed materials suggests that attackers gained structured access to internal document repositories, likely pointing towards a compromise of file servers or shared drives rather than targeting individual systems.
About Qilin Ransomware
Emerging in mid-2022, Qilin ransomware operates on a ransomware-as-a-service (RaaS) model and is believed to be based in Russia, driven by its activities in underground forums. The group’s double extortion strategy combines file encryption with data theft to pressure victims into paying, not only to restore systems but also to prevent data dissemination.
Typically, Qilin affiliates gain access through credential theft, exploiting unprotected remote services or through phishing attacks. Once they infiltrate a network, they move laterally to extract data and cripple recovery mechanisms before deploying ransomware to maximize impact. Those who decline to pay find their information showcased on Qilin’s leak portal as leverage for further coercion.
Over the past couple of years, Qilin has targeted a diverse array of sectors, notably healthcare, manufacturing, and public services, with high-profile incidents including disruptions to medical diagnostics in the UK. In June 2025, UK authorities confirmed a patient death linked to a Qilin ransomware attack on the NHS, further amplifying the group’s notoriety.
Status of the Scientology Claim
As of now, the breach attributed to the Church of Scientology remains unverified, with Qilin’s screenshots as the sole evidence available. There has been no independent forensic investigation confirmed, nor has any data been released for verification. However, the internal consistency of the materials, such as budgetary claims and departmental references associated with AOSH UK, suggests authenticity.
The Church of Scientology has been approached for comment regarding this incident. If verified, the leak would potentially expose a wealth of sensitive data, including financial information, security operations, and personal records of its members. Until further confirmation or additional evidence emerges, this incident stands as a claim primarily substantiated by the attackers’ own documents. Updates will be provided as the situation develops.
