Berkeley Research Group today confirmed it notified 6,083 people of a February 2025 data breach that compromised the following info:
- Names
- Social Security numbers
- Tax ID number
- Financial and bank account info, sometimes including PINs, security codes, or login credentials
- Payment card numbers and details
- Usernames
- Passwords
- Medical info
- Health insurance info
- Government-issued ID number (e.g. passport, driver’s license, etc).
In May 2025, the US Department of Justice said the breach exposed the personal data of some Catholic clergy sex abuse survivors.
Berkeley Research Group said a ransomware attack led to the breach. The consulting firm said it paid an undisclosed sum in ransom to a ransomware group called Chaos.
We do not know how much BRG paid in ransom or how attackers breached its network. Comparitech contacted BRG for comment and will update this article if it replies.
“On Sunday, March 2, 2025, we detected suspicious activity in our network and immediately launched an investigation with the assistance of leading data security and privacy professionals,” says BRG’s notice to victims. “Based on the findings from the investigation, an unauthorized actor briefly gained access to our systems from the evening of Friday, February 28, 2025, until Sunday, March 2, 2025.”
BRG is offering eligible victims 24 months of free identity monitoring through Kroll.
Who is Chaos?
Chaos is a ransomware gang that first surfaced in 2021 but didn’t start claiming victims on its data leak site until March 2025. The group attacks both individuals and organizations through drive-by-downloads and phishing. It employs a double-extortion scheme in which Chaos demands a ransom both to destroy stolen data and to restore infected systems.
Chaos has taken credit for six confirmed ransomware attacks on US businesses, plus another 15 unconfirmed claims that haven’t been publicly acknowledged by the targeted organizations.
The group claimed responsibility for the following confirmed breaches:
- Optima Tax Relief notified 3,114 people of a May 2025 data breach
- IES Communications notified 6,241 people of a March 2025 data breach
- The Salvation Army reported a May 2025 data breach
- Farmer Brothers Company notified 14,460 people of a March 2025 data breach
- Goosehead Insurance notified 17,400 people of a March 2025 data breach
Ransomware attacks in the USA
Comparitech researchers have logged 400 confirmed ransomware attacks against US organizations in 2025 to date, compromising 15.3 million records. The average ransom demand is about $916,000.
Other confirmed breaches claimed by ransomware gangs this week include:
- OB-GYN Associates notified 62,000 people of an August 2025 data breach claimed by Inc
- The Roger Keith & Sons Insurance Agency notified 860 people of a January 2025 data breach claimed by LinkedData
- Form Energy reported a September 2025 ransomware attack led to a data breach
- Chester County Library System notified 1,281 people of a September 2025 data breach claimed by Lynx
Ransomware attacks use malware to both lock down computer systems and steal data. Once infected, attackers then demand a ransom to restore infected systems and destroy the stolen data. If the targeted organization refuses, it faces extended downtime, permanent data loss, and putting data subjects at increased risk of fraud.
About Berkeley Research Group
Berkeley Research Group is a consulting firm based in Emeryville, California with offices across the world. It employs more than 1,600 people across 40 offices. Its clients include banks, Fortune 500 companies, law firms, government entities, and regulatory bodies.
