Qilin ransomware gang infiltrated San Francisco’s elite California Golf Club (Cal Club), stealing 10 GB of sensitive member data.
Recently, one of Silicon Valley’s most exclusive private institutions fell victim to a sophisticated cyberattack. The California Golf Club of San Francisco (known as Cal Club) – a century-old, invitation-only golf club ranked among America’s top 20 most exclusive by Forbes – was allegedly hacked by the notorious Qilin ransomware group. Reports indicate the attackers exfiltrated roughly 10 GB of data (about 12,000 files) from the club’s network. This massive breach exposed personal and financial details of elite club members, demonstrating that even high-profile, well-established organizations are vulnerable to modern ransomware threats.
Breach Overview
According to security reports, the Qilin gang announced the attack on its leak site, posting samples of 23 stolen files to substantiate the hack. Cybernews confirmed these documents span from December 2016 through September 2025, and include a broad range of sensitive records. Among the leaked data were members’ identities and contact details (names, birthdates, phone numbers, email and home addresses), as well as financial and membership records (dues paid, fees, membership status). The breach also revealed internal club documents that had never been public, such as employee performance reviews, salary and 401(k) information. Notably, the leaked files even exposed how many members Cal Club has (a fact it kept private) and included things like membership certificates and waiting lists for new members. In short, attackers gained a window into the exclusive club’s membership database and inner workings.
Data Exposed
Leaked files suggest the breach affected multiple categories of sensitive data, including:
- Member Personal Information: Names, genders, birthdates, phone and email contacts, and home addresses.
- Membership and Financial Records: Details of membership payments, initiation fees and dues. (For example, one document shows a 2024 initiation fee around $160,000 and about $34,000 in annual dues for a member )
- Club Documents and Correspondence: Official membership certificates, letters of recommendation, board meeting minutes, membership criteria, and even a list of dozens on the waiting list for membership.
- Employee and Internal Data: Staff performance evaluations, bonus/salary information, 401(k) plan details, and other internal HR records.
This trove of data represents a significant privacy violation: members’ identities and club finances are out in the open, and internal club operations have been laid bare.
Implications and Risks
The Qilin breach poses serious risks for both members and the club. Security analysts warn that if the stolen data is fully published, club members could be targeted with highly tailored spear-phishing and fraud campaigns using their leaked personal details. For example, criminals might impersonate club staff or vendors, referencing real dues amounts or member names to trick individuals. On the organizational side, Cal Club now faces legal and reputational fallout. Leaked employee records and private correspondence could expose the club to privacy lawsuits or regulatory fines, and may severely damage the trust and privacy expected by its high-profile membership.
About the Qilin Ransomware Gang
The Cal Club attack is part of a broader pattern. The Qilin group has emerged as one of the most aggressive ransomware operations in 2025. Cybersecurity trackers note that Qilin moved into the top spot as the year’s most active ransomware gang, claiming roughly 585 victims over the past 12 months. Its recent targets range from Japan’s Asahi Group Holdings (the country’s largest beer producer) to hospitals, media companies, and manufacturers worldwide. Qilin operates a ransomware-as-a-service (RaaS) model: it provides ransomware tools to affiliates and then demands double extortion — first for file decryption, then a second payment to keep the data from being leaked. The Cal Club breach illustrates how Qilin has shifted beyond typical corporate targets to include even exclusive social clubs with valuable member data.
