Cal Fresh Ransomware Attack by Termite (June 2026)

Claim Summary

On June 8, 2026, the ransomware group known as “Termite” allegedly added the California food assistance program Cal Fresh (calfresh.ca.gov) to its dark web leak site. The threat actor claims to have compromised systems associated with the California Association of Food Banks (CAFB), which administers CalFresh application assistance and hunger relief programs across the state. According to the leak site post, Termite asserts it has exfiltrated data from the organization, though the volume and specific nature of the stolen information remain undisclosed. This claim has not been independently verified by Yazoul Security, and no official confirmation from CAFB or Cal Fresh has been issued at the time of writing.

Threat Actor Profile

Termite is a relatively obscure ransomware group with limited public attribution. Based on available intelligence, the group has a small number of confirmed victims, and its operational tactics, techniques, and procedures (TTPs) are not well-documented in open-source research. No known tools, such as specific remote access trojans or encryption mechanisms, have been publicly attributed to Termite. The group’s credibility is difficult to assess due to its low profile; however, ransomware actors frequently exaggerate claims to pressure victims into negotiation. Without a track record of verified breaches, this claim should be treated with heightened skepticism. No YARA rules or detection guidance specific to Termite are currently available.

Alleged Data Exposure

The Termite leak site post references the California Association of Food Banks (CAFB) and its role in administering CalFresh, a federally funded food assistance program. The group claims to have accessed data related to CAFB’s operations, which may include:

• Consumer application assistance records for CalFresh applicants
• Partner organization data from food banks and community-based organizations
• Internal communications or administrative files

However, no specific data samples, file lists, or evidence of exfiltration have been provided by the threat actor. The claim lacks technical details that would typically corroborate a breach, such as file names, database schemas, or timestamps. Given the absence of proof, this alleged exposure remains unsubstantiated.

Potential Impact

If confirmed, a breach of Cal Fresh or CAFB systems could have significant consequences:

• Privacy Risks: Exposure of personal information from CalFresh applicants, including names, addresses, income data, and household composition, could lead to identity theft or fraud.
• Operational Disruption: Ransomware encryption could disrupt CAFB’s ability to process applications, coordinate with partner food banks, and distribute benefits to vulnerable populations.
• Reputational Harm: For a government-affiliated hunger relief program, a data breach could erode public trust and complicate ongoing efforts to combat food insecurity in California.
• Regulatory Consequences: As a program handling sensitive personal data, Cal Fresh may be subject to state and federal data breach notification laws, potentially resulting in fines or oversight actions.

What to Watch For

• Official Statements: Monitor the California Department of Social Services (CDSS) and CAFB for any acknowledgment or denial of the claim.
• Leak Site Updates: Termite may release additional details or data samples to pressure the victim. Yazoul Security will track any changes to the leak site.
• Dark Web Chatter: Watch for discussions on underground forums regarding the sale or distribution of Cal Fresh data.
• Phishing Campaigns: If data is confirmed stolen, threat actors may use it to target CalFresh applicants with social engineering attacks.

Disclaimer

This report is based solely on an unverified claim posted by the Termite ransomware group on their dark web leak site. Yazoul Security has not independently confirmed any data breach, system compromise, or data exfiltration involving Cal Fresh, the California Association of Food Banks, or any affiliated entities. Ransomware groups routinely fabricate or exaggerate claims to extort victims. All information herein should be treated as preliminary and subject to change upon verification. No PII, download links, or access credentials are included in this report. Readers are advised to seek official confirmation from relevant authorities before taking action.