Notorious ransomware group Qilin has claimed responsibility for a breach affecting the Church of Scientology. The group stated that it had obtained internal documents and released sample files on its website. The organisation has not confirmed the breach. At this stage, the claim remains unverified, and there is no independent evidence that the data posted by the attackers is authentic.
The ransomware group Qilin claims it accessed internal systems belonging to the Church of Scientology and released a set of sample files. The group published 22 documents that it said were taken from a UK-based branch. The material includes internal financial records, administrative forms, member-related paperwork, and visa documentation for religious workers. The Church of Scientology has not confirmed the breach, and the authenticity of the leaked files has not been verified by independent investigators.
According to the group, the leaked items were taken during a recent intrusion involving systems that store administrative and operational information. The documents presented as evidence include funding requests for religious worker visas, budget sheets, billing records, event-related expenditure lists, and internal organisational charts. Some of the items appear to involve membership processing or upgrade requests. Analysts who reviewed the publicly posted samples said the documents resemble internal administrative paperwork but noted that confirmation requires forensic analysis. At this stage, there is no official indication that the data sets are accurate, complete, or current.
Researchers said that Qilin frequently claims responsibility for high-profile incidents and often uses initial data samples to pressure victims. They added that the group regularly targets organisations that manage large volumes of personal or financial data. The claimed attack on the Church of Scientology would fall within this pattern but has not yet been supported by technical findings outside the group’s own statements.
Qilin operates a ransomware as a service model. Its affiliates conduct attacks and share ransom proceeds with operators. The group first appeared in 2022 and has expanded operations across several regions. Security reports from 2024 and 2025 show activity affecting healthcare providers, manufacturing firms, educational institutions, and government services. The group is known to rely on double extortion. This involves theft of data combined with efforts to make systems inaccessible. Victims are then told that stolen data will be published if demands are not met.
Investigators said Qilin affiliates often begin attacks through compromised credentials, vulnerabilities in remote access systems, or weaknesses in third-party tools. Once inside a network, attackers gather information, attempt to move laterally, and extract data. They may disable protective controls or backups before activating file encryption. The spread of this method has increased the number of organisations at risk, including non-profit groups and religious institutions that maintain detailed internal records.
If the Qilin claim regarding the Church of Scientology is accurate, the leaked information could include personal identifiers, financial details, and sensitive organisational records. Exposure of visa documentation and membership data could place individuals at risk of identity theft or targeted fraud. Internal financial or organisational documents may reveal confidential procedures that are not intended for public release. Analysts said leaks from religious or non-profit groups often create additional sensitivities because they may involve private member-related information that is usually protected under privacy or organisational rules.
Cybersecurity practitioners said that organisations managing sensitive internal data require strict access controls, regular audits, and strong segmentation between administrative and operational systems. They noted that groups like Qilin often exploit areas where legacy systems intersect with modern communication or document handling tools. Without regular review, these systems can become vulnerable to credential theft or intrusion.
The Church of Scientology has not issued a public statement about the claimed breach. Requests for comment were reported, but no response had been shared at the time of reporting. The lack of confirmation means that the scope and accuracy of the leak remain unclear. Analysts said a cautious interpretation is necessary until a formal investigation or third-party assessment confirms whether unauthorised access occurred. In past incidents involving other organisations, sample files released by threat groups have ranged from accurate to misleading or incomplete.
Individuals who believe they may have been affected should monitor for suspicious messages or attempts to obtain personal information. Security advisers recommend updating passwords for relevant accounts, enabling two-factor authentication where possible, and remaining alert to unexpected communication referencing internal records.
To address large-scale intrusions of this type, experts recommend reviewing network architecture, implementing stronger credential management procedures, and exercising careful oversight of remote access systems. Regular review of logging and monitoring can improve detection of early-stage intrusion attempts. Organisations that handle personal information may also be required to notify regulators if breaches are confirmed.
The claimed attack reflects the broadening of targets selected by ransomware groups. While commercial entities remain the most frequent victims, religious and non-profit organisations increasingly store large data sets that can be valuable to attackers. Until independent verification is available, the incident remains an unconfirmed claim based on material posted by the group.