The Documented Facts
In early December 2025, the Russian-linked ransomware group Qilin claimed responsibility for a data breach at the Church of Scientology’s Advanced Organisation Saint Hill UK (AOSH UK), one of the organization’s major international hubs. The attack was first reported on December 4, 2025.
Qilin published 22 screenshots as proof of access. Tony Ortega posted some of the screenshots on his Underground Bunker Substack. The leaked materials, as documented by cybersecurity outlets including Cybernews, HackRead, and SC Media, show:
- Visa processing records for religious staff, including named individuals applying for UK Religious Worker visas
- Internal HR and finance documents with departmental sign-offs
- Security budgets totaling nearly £100,000 for 2024-2025, including line items for bomb dogs, patrol dogs, and guard deployment locations
- Financial invoices with banking details including IBAN and SWIFT information
- A “Knowledge Report” containing personal member information
- Member spreadsheets listing individuals from South America with contact details and travel history
The breach appears to represent access at the file server or document management level rather than a single endpoint compromise.
INCOMM: Scientology’s Global Data Network
Scientology operates a centralized computer system called INCOMM (International Network of Computer Organized Management). According to court documents, ex-member testimony, and Scientology’s own publications, INCOMM links Scientology organizations worldwide—connecting Saint Hill UK to Clearwater, Florida; the International Base in California; and other major facilities.
This raises a technical question: If Qilin breached a UK node with access to INCOMM, what visibility might that provide into the broader network? Ransomware groups routinely move laterally through connected systems. Whether this occurred is unknown, but the architecture suggests a UK breach could theoretically be more than a UK breach.
The City of London Presence
Saint Hill is not Scientology’s only UK footprint. The organization maintains a significant presence in central London, including a large headquarters on Queen Victoria Street—strategically located in Central London. This facility opened in 2006.
Scientology’s location in London allows it to recruit among financial professionals. If member records from Scientology’s operations were accessible through the compromised systems, the data could include individuals employed in banking, asset management, and related sectors—along with whatever they disclosed in auditing sessions.
Qilin is a ransomware-as-a-service operation believed to be Russian-speaking based on recruitment activity on Russian-language hacker forums. The group avoids targeting Commonwealth of Independent States (CIS) countries. According to Cybernews, Qilin has claimed more than 600 attacks in the past six months alone, with notable ransom demands including $10 million from Malaysia Airports and $2.12 million from a Spanish city.
The John Coale Timeline
John P. Coale is a veteran Washington attorney and longtime member of the Church of Scientology. His wife, journalist Greta Van Susteren (currently at Newsmax), is also a Scientologist. Coale joined Scientology in the early 1980s, according to a 1998 St. Petersburg Times profile.
January 2025: Coale served as Trump’s attorney in the lawsuit against Meta over the post-January 6 account suspension. Meta settled for $25 million, with $22 million going to Trump’s presidential library fund. Coale confirmed the settlement was reached through direct negotiations between Zuckerberg and Trump at Mar-a-Lago.
March 2025: Coale was appointed deputy special envoy to Ukraine under Keith Kellogg.
June 2025: Coale visited Minsk and helped secure the release of 14 political prisoners, including opposition figure Sergei Tikhanovsky.
September 2025: Coale returned to Minsk; Belarus released 52 additional political prisoners. The U.S. subsequently lifted sanctions on Belarusian state airline Belavia.
November 9, 2025: Trump announced Coale’s nomination as U.S. Special Envoy to Belarus, praising him for negotiating the release of “100 Hostages.”
December 4, 2025: Qilin claims the Scientology data breach.
December 2025: Coale told state media that he discusses the Russia-Ukraine war with Lukashenko and that Lukashenko’s “advice could be useful” given his relationship with Putin.
Scientologist John Coale and his wife Greta Van Susteren have long befriended Franklin Graham. This has allowed them to “safepoint” Scientology in Christian Evangelicalism — and this despite L. Ron Hubbard’s blaspheming Jesus Christ as a “lover of young men and boys.” Hubbard declared that he was the Antichrist and that Christianity is an alien R6 implant designed to enslave people. Is Franklin Graham willingly blind or a dupe? When pressed, Graham has only admitted to “religious differences” with his friends John and Greta. This violates the scriptural mandate that light can have no fellowship with darkness (II Cor. 6:14).
What Scientology Holds on Its Members
The Church of Scientology maintains extensive records on members, a practice documented in court cases, media investigations, and accounts from former members over decades. These include:
PC Folders (Preclear Files): Records from auditing sessions, Scientology’s form of counseling/confession. These sessions are conducted while the member holds electrodes connected to an “E-meter” and discusses intimate personal matters. Former members have testified that these files contain confessions of crimes, sexual histories, and deeply personal information.
Knowledge Reports (KRs): Internal reports that members file on one another documenting perceived ethical violations, critical statements, or suspect behavior.
Ethics Files: Records of disciplinary actions, “conditions assignments,” and internal investigations.
Financial Records: Detailed records of donations, course purchases, and “IAS” (International Association of Scientologists) contribution histories—often totaling hundreds of thousands of dollars for long-term members.
Secret Reports from Its Members: What reports would John Coale send to RTC and David Miscavige on President Trump; the White House; the State Department; Franklin Graham and Graham’s evangelical network; and other matters of interest to Scientology?
The GDPR Question
The UK General Data Protection Regulation (retained from EU law post-Brexit) governs any organization that processes personal data of people in the UK. There is no blanket exemption for religious organizations.
GDPR Article 5(1)(b) requires that personal data be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
Ex-members have documented practices that appear to violate this purpose limitation principle:
- Auditing disclosures repurposed for ethics actions
- Ethics reports used in personnel decisions
- Confessional material flowing to OSA (Office of Special Affairs) intelligence operations
- Internal discipline informing external legal and PR strategy
- Staff confessions retained as potential leverage after members leave
If the Qilin breach exposed documentation of these data flows, it would constitute evidence of systematic GDPR non-compliance—potentially triggering regulatory scrutiny independent of any counterintelligence concerns.
The regulatory question: Has the UK Information Commissioner’s Office examined Scientology’s data handling practices? Would evidence from a breach be admissible in such an investigation?
The Questions
The following are questions—not assertions. They represent legitimate lines of inquiry given the documented facts above.
1. What was the scope of the breach?
The 22 screenshots Qilin published appear to be a sample. Ransomware groups routinely exfiltrate terabytes of data before making claims. Qilin’s other recent attacks have involved 2-5 TB of stolen data.
Unknown: How deep did the compromise go? Did it extend beyond St. Hill UK to other Scientology systems? What databases were accessible from the compromised systems?
The INCOMM question: If the breach provided access to Scientology’s INCOMM network, data from UK operations could potentially include:
- PC folders (confessional records) for UK and European members
- Communications with U.S. headquarters and RTC (Religious Technology Center)
- Financial transaction records routed through UK entities
- Member databases including any City of London financial professionals
The UK as a routing point: The United Kingdom—with its connections to Channel Islands, Isle of Man, Dubai, the Cayman Islands, Crypto transactions, and (pre-Brexit) EU regulatory structures—could serve as a natural routing point for international financial flows. What financial architecture documentation might exist in Scientology’s UK operational files which are a part of Scientology’s tax avoidance scheme known as COSRECI?
These are questions, not assertions. But the architecture of Scientology’s systems makes the scope question non-trivial.
2. Was this a target of opportunity or a directed attack?
Qilin is a financially-motivated RaaS operation. They attack across sectors: healthcare, education, manufacturing, government.
According to Damien Bancal at Zataz.com, the Scientology breach appeared alongside a diverse set of December 2025 targets: Kana Pipeline Inc (California civil engineering), Medisend (Dallas biomedical college), Peter Meijer Architect (Portland), Institutional & Supermarket Equipment (Florida refrigeration supplier), McManes Law (Georgia personal injury firm), Espaço Casa (Portuguese home decor retailer), and Maset Vinos y Cavas (Spanish winery).
Bancal noted that the Scientology target stood out as “particularly sensitive and high-profile…from an intelligence perspective.” Does this mean that the FSB may have used Qilin as a proxy to hack Scientology to see if it could get Scientology kompromat on John Coale? If so, the camouflage of a ransomware attack made purely for payment would be an optimal intel misdirection.
Possible interpretation: This was simply another target in Qilin’s mass-attack model—a target of opportunity alongside wineries and refrigeration suppliers.
Alternative possibility: Russia-linked ransomware groups have historically operated with tacit state tolerance. Some have performed services for Russian intelligence. The question of whether any direction or interest existed in this particular target is unanswerable from public information.
Historical context: Russia banned Scientology, and the Russian Orthodox Church (ROC) has long lobbied for restrictions on the organization. Putin’s alliance with ROC leadership is a core pillar of his domestic political strategy. Whether this creates any institutional interest in Scientology data is speculative—but it provides context for why such data might have value beyond ransom extraction.
3. What is Scientology’s security posture?
Unrelated reports suggest potential security concerns within Scientology’s operations. YouTuber Tyler Oliveira penetrated and filmed CST’s Twin Peaks base, leading to reported changes in security arrangements. Scientology’s long-time security provider Talon was reportedly dismissed. Whether this reflects broader operational security vulnerabilities, including INCOMM which was breached by Qilin, remains unknown at present.
The question: Was Scientology’s IT infrastructure an easy target? Did Qilin use social engineering, exploit known vulnerabilities, or find another entry point? The attack method has not been disclosed.
4. What records might exist on U.S. government officials?
John Coale has been a Scientologist for over 40 years. If the breach accessed centralized Scientology databases (rather than just UK operational files), records on Coale could theoretically exist within the compromised data.
Coale is now the U.S. Special Envoy to Belarus—a position that makes him a direct interlocutor with Putin’s closest ally and, by his own account, a channel for advice on the Russia-Ukraine war.
The counterintelligence question: If a foreign intelligence service—or a criminal group with ties to one—possessed detailed confessional records and financial histories of a U.S. official engaged in diplomacy affecting Russian interests, what would that represent?
This is not an assertion that such records were taken. It is an observation about what the consequences would be if they were.
5. Has anyone connected these dots?
The timeline creates a notable sequence:
- November 9: Coale appointed Special Envoy to Belarus
- December 4: Qilin claims Scientology breach
- December: Coale discusses using Lukashenko as a back-channel to Putin
Unknown: Whether any U.S. counterintelligence assessment has examined potential compromise of U.S. officials through non-governmental organizational affiliations.
What We Don’t Know
It’s important to be explicit about the gaps:
- No evidence that Coale was specifically targeted
- No evidence that the FSB directed this attack
- No evidence of what specific data was actually exfiltrated
- No evidence that records on high-profile U.S. members were among the compromised files
- No confirmation from Scientology about the nature or extent of the breach
The Church of Scientology has declined to comment.
The Structural Issue
Even setting aside the Coale question, this incident highlights a broader issue: organizations that maintain extensive confessional and personal records on members—including individuals who hold government positions—represent potential intelligence targets.
This is not unique to Scientology. Any institution holding sensitive personal information on government officials creates potential counterintelligence exposure if compromised.
The question is whether existing security frameworks adequately address this category of risk.
For the Record
- Qilin attack on Scientology: Documented by multiple cybersecurity outlets, December 2025
- John Coale’s Scientology membership: Documented since 1980s, publicly acknowledged
- Coale’s appointment as Special Envoy to Belarus: Announced by Trump, November 9, 2025
- Coale’s role in Trump v. Meta: Confirmed by Coale to multiple outlets, January 2025
The questions raised here are based on the conjunction of these documented facts. Whether those questions warrant investigation by those with subpoena power and security clearances is not for a blog post to determine.
Sources: Cybernews, HackRead, SC Media, Zataz.com, Wall Street Journal, Kyiv Post, Kyiv Independent, Bloomberg, Wikipedia, Washington Post, Heavy.com
Categories: Scientology: Institutional Structure
The European (and UK) General Data Protection Regulation (GDPR) governs any organization that processes personal data of people in the EU; this includes religious organizations. There is no blanket exemption for churches. GDPR requires data to be collected for specific, explicit purposes and not reused incompatibly.
Scientology practice routinely violates this:
Auditing disclosures → ethics actions
Ethics reports → personnel decisions
Confessional material → OSA intelligence
Internal discipline → external legal/PR strategy
Staff confessions → future leverage after leaving
This purpose creep is explicitly forbidden under Art. 5(1)(b).
AEx:
1. How much do you think Qilin got when it hacked into Scientology’s system at St. Hill?
2. I amended this blog post to include your GDPR comment. Thank you for posting it.
I will email you as it’s too long.
I worked in INCOMM as a Computer Room operator on duty, highest security clearance to work in the inner computer rooms.
My ex wife used to work in OSA Int’s “Files” and she used to run the Freewinds public clearances files, meaning she upkept the OSA files that allowed or not, persons to go do OT 8, which Coale and Van Susterin have both done.
Within OSA Int, per Dan Garvin, who you should contact Jeffrey, and get the basic OSA Int most sensitive files handling.
I recall Dan years ago saying that Brian Mills ran the highest sensitive OSA Int computers and they were standalone.
Standalone is also what INCOMM in LA and INCOMM at Int also have, I know, I visited those standalone computer at night and weekly, to do the “backups” on them. AT Int, I physically delivered one standalone computer from ASI to INCOMM Int for Miscavige’s SOLE use.
Standalone computers is how the most sensitive OSA Int intel is most likely kept, that is what they did.
IN the Marc Headley “Blow For Good” book, the inflap coverpages at both ends of the book, those inside flaps are the maps of the Int Base storage building where OSA Int years and years ago, I know, my ex used to visit them, exactly during the digitization long ago missions done.
So, most likely, adding everything together, the most sensitive standalone computer of OSA Int’s today, having sensitive data on the highest Scientologists, all the way to even Tom Cruise, is at the highest highest Scientology levels handled by he standalone computer people who are either OSA Int staff, like whoever is the current same job that Brian Mills used to be. Dan Garvin can brief on that, ask him.
——————————
When I left INCOMM from ASI, since ASI uses computer which are totally in sync software wise with the INCOMM system of Int and LA, and with CST/Archives system, and OSA Int’s regular OSA staff users’ computers are in with the LA computer room at INCOMM LA, with the exception Dan Garvin can brief you on, what likely are the location based on where their old location was, which used to be in the basement of the HGB building.
But per Rinder, some sensitive OSA Int stuff even some laptops or computer drives like backups, would very likely be under the care of the law offices that OSA Int is connected to, the outside Moxon law offices, whatever those are.
——————————–
So, all the above insider info, take that all into consideration, that’s where the hackers from Russia might be targeting, if they knew where to hack.
They’d have to hack the standalone OSA Int computers, either into the HGB basement, or the OSA Int floors of the HGB, or the where the OSA Int lawyer Moxon goes to the outside law offices.
That’d be the target.
The old paper files in the files building at Int Base, marked in Mark Headley’s book’s inside book flap pages both ends of his book, might still have some, but I would guess NOT the really hottest Scientologists’ “out quals” dirt files info.
—————————–
One thing I forgot to mention is the L. Ron Hubbard “Chug” system.
The RTC Int and Pers Data Files computer server system would be this “Chug” system.
I used to use that system, when I was an ASI Establishment Officer In Training, I used it to check the qualifications of the staff at Int Base while I was looking for someone to name as a possible “Ethics Officer/Master At Arms” job for hiring to ASI.
It’s probably got a new name, but that top level server, the old “RTC Int Pers and Ethics” server data base has the summary of ALL Scientologists, and for each Scientologist staff, particularly the upper top level Sea Org members, it has a “field” with the insider “out quals” of every staffer. That is where an authorized head hunter HR inside top person, and there are literally less than 10 people with full access, can go instantly, and check the “out quals” for the top people.
Access to it, to the RTC Int Pers and Ethics data files server is kept in the INCOMM Int computer room.
I only ever accessed it from offices at the Int Base INCOMM Int computer system.
You cannot access that from any other INCOMM facility. It’s a standalone computer setup with only certain computer stations to access it, and it’s only at Int.
THUS, conclusion, if the same security, meaning standalone, for the most sensitive personnel info (the “Chug”, the old “Police Computer” both standalone in INCOMM LA; or the RTC Pers and Ethics standalone server access only at certain stations at Int Base; or the HGB Basement if it’s still there, or the OSA Int floors 10 or 12 standalone sensitive files computers; or the Moxon law offices outside from the HGB building in LA wherever those law offices are, and likely that’s where I’d be putting the “backup” computer disks of everything that is top hot stuff).
Chuck Beatty
INCOMM staff 1990-1992
ASI computer person 1992 to 1995
PS: Top INCOMM Int computer persons I knew who likely if still there, would now what is what today, are James Perry, Paul Wilmshurst, John Dunn, Pat Buglewicz.
Rog Kernbach too, if he’s stlll the INCOMM Int computer room boss.
Standalone is the only safe way to prevent outside hackers, and in the past I’ve personally setup ONE such standalone computer myself, for David Miscavige’s sole use. It contained what were titled the “COB ASI” traffic from LRH to Misavige.
Extremely informative comment dear Chuck
Thanks for posting this Chuck. I turned it into a separate blog post: The Qilin Ransomware Attack on St. Hill: Chuck Beatty’s Description of Scientology’s Data Architecture in the 1990’s and Early 2000’s