Hackers hit California Golf Club of San Francisco

The Qilin ransomware gang is at it again, this time allegedly breaching the California Golf Club of San Francisco (Cal Club), considered one of the nation’s most exclusive members-only golf clubs, and a favorite of Silicon Valley execs.

Qilin gang claims to have breached the exclusive California Golf Club of San Francisco, stealing 10GB of member data.
Leaked files expose personal and financial details of elite members, including dues, fees, and private correspondence.
With Cal Club information previously unreleased to the public, private members are now at risk of spear phishing and targeted fraud.

The notorious ransomware cartel posted the Cal Club claim on its leak site Tuesday, along with a sample of 23 files allegedly stolen from the prestigious golf club’s network servers, including an alleged database exposing tons of personal data on its members.

The group claims to have exfiltrated 10GB of data consisting of about 12,000 files.

Established in 1918, the Bay Area golf club ranked in the top 20 most exclusive golf clubs in the US by Forbes in 2025 and #50 out of the top 100 courses in the world in 2020 by Golf Magazine.

With a rumored six-figure invitation-only initiation fee according to the interwebs, and yearly dues in the tens of thousands, the private golf club is known for its unpublished roster of high-profile members, membership costs, and even keeping directions to the grounds close to its chest.

Qilin ransomware attack Cal Club post — Qilin leak site. Image by Cybernews.

Member names revealed

Cybernews can confirm the leaked documents are dated from December 2016 through September 2025, including an array of sensitive information, exposing not just member names but how much they’ve paid to belong to the premier facility.

The membership database alone contains names, addresses, phone numbers, email addresses, gender, birth date, dues paid, membership status, and more.

This makes the Cal Club breach much more enticing to the ransomware operators.

Qilin ransomware attack Cal Club samples — Qilin leak site. Image by Cybernews.

If Qilin decides to publish the private data – a common tactic cybercriminals use to pressure victims into paying a ransom demand – the exposure of members’ personally identifiable information (PII) could lead to major spear phishing and social engineering attacks.

Additionally, the legal ramifications Cal Club could face in the aftermath would be enormous and most certainly tarnish the reputation of the ultra-private golf club.

Cal Club inner workings exposed

Files posted on the Qilin victim blog include what appear to be official membership certificates, copies of emails addressed to newly accepted members from the Club's executive secretary, member letters of recommendation, membership criteria with fees, and board meeting minutes.

Interestingly, the Club does not reveal publicly how many members it has, but after sifting through the documents, one certificate identifies its recipient as member #1313, while an alternate doc lists member #2884.

Don't miss our latest stories on Google News

Another file that Cybernews was able to view purportedly exposes a membership “Waiting List” filled with dozens of names hoping for membership approval in categories such as national, proprietary, legacy, and juniors, dated September 26th, 2025.

As for membership costs, financial documents show one individual being charged $160,000 for an initial entrance fee in 2024, with monthly dues totaling $34,000 over the last 12 months, ranging anywhere from $2500 to $8500 depending on the month.

Anticipated monthly fees for 2026 were also presented, as well as a promissory note issued to another member.

Qilin ransomware attack Cal Club legacy sample — Qilin leak site. Image by Cybernews.

Furthermore, the documents show employee 401K information, performance evaluations, salary and bonus information for the Club’s superintendent and controller, and a copy of someone's driver’s license.

Finally a food and beverage invoice of $118,000 dollars from August 2025 and a diagram of a banquet room set-up round out the samples.

Qilin ransomware gang dominates 2025

Qilin has moved into the number one position as the most active ransomware gang in the past 12 months, targeting roughly 585 victims, according to Cybernews' Ransomlooker monitoring tool.

Including Japan's largest beer producer, Asahi Holdings, which was also just claimed on Tuesday, Qilin has aggressively outperformed its ransomware rivals, claiming more than 500 attacks since the beginning of January.

Qilin tops on Ransomloker Oct 7 — Cybernews Ransomlooker snapshot October 7th, 2025. Image by Cybernews.

Known for using a ransomware-as-a-service (RaaS) business model, the cybercriminal outfit often uses double extortion tactics on its victims, demanding a ransom for decryption and then a second payout to guarantee it will not leak the stolen files on the dark web after the fact.

The group, which is said to actively recruit affiliates on Russian language hacker forums, also avoids targeting Commonwealth of Independent States (CIS) countries, insinuating a Kremlin-aligned agenda.

Last making waves with an October 2nd hit on Israel's 4th largest hospital, Shamir Medical Center on Yom Kippur, the group recently claimed attacks on Nissan Japan's design arm, Creative Box, and US pharmaceutical research conglomerate Inotiv.

Past Qilin victims further include California PR firm Singer Associates, energy and manufacturing giant SK Group, US newspaper conglomerate Lee Enterprises, the Houston Symphony, Detroit’s PBS TV station, top North American auto parts suppliers Yanfeng in China, and the Utsunomiya cancer treatment center in Japan.