Latest Posts

Stay in Touch With Us

Got a story worth telling? Send it our way. We read every tip that lands in our inbox.

Livebriefs

  /  All News   /  The Cushman & Wakefield Cyberattack Is a Wake-Up Call for Commercial Real Estate

The Cushman & Wakefield Cyberattack Is a Wake-Up Call for Commercial Real Estate

Commercial real estate companies hold an enormous amount of sensitive data. Client financial records, tenant personal information, transaction histories, lease agreements, and the personal details of hundreds of thousands of individuals flow through the systems of large brokerage and property management firms every day. The industry has historically treated cybersecurity as a back-office concern, something to be managed by IT rather than understood at the business level. A cyberattack on Cushman & Wakefield last month is making that posture harder to defend, and the circumstances of the attack are instructive not just for what happened but for how it happened and who was responsible.

Cushman & Wakefield, one of the world’s largest commercial real estate services firms with operations in more than 60 countries and roughly $9 billion in annual revenue, confirmed in early May that it had experienced a data security incident stemming from a vishing attack, the term for voice phishing, in which an employee was socially engineered over the phone into providing access or credentials. A company spokesperson described the incident as “limited” and said the company had “activated its response protocols, including taking steps to contain the unauthorized activity and engaging third-party expert advisors to support a comprehensive response.” The company stated that its systems and operations continued to run normally. What it did not address, at least initially, was the identity of the attackers, and that silence left the door open for two separate and unrelated cybercrime groups to step forward with competing claims of responsibility.

ShinyHunters claimed it attacked the company on May 1, while Qilin listed Cushman & Wakefield on its dark web leak site on May 4. There is no previously established coalition between ShinyHunters and Qilin. ShinyHunters claimed it stole over 500,000 Salesforce records containing personally identifiable information and other internal corporate data, and set a May 6 deadline for Cushman to make contact to prevent the data from being leaked. Cushman said it did not make that contact. The compromised data included email addresses, job titles, names, phone numbers, and physical addresses, affecting more than 310,000 accounts, with some reporting putting the figure above 500,000 records.

To understand the significance of the attack, it helps to understand who these groups are. ShinyHunters is one of the most active and consequential cybercrime organizations operating today. Active since 2019 and responsible for breaching more than 400 organizations across retail, technology, finance, aviation, and automotive sectors, the group doesn’t primarily hack through technical vulnerabilities. It exploits authitification tokens, SaaS misconfigurations, supply chain integrations, and AI-powered voice phishing to access systems organizations have left open. Using three core attack playbooks, voice phishing for SSO credentials, Salesforce Experience Cloud misconfigurations, and supply chain attacks, ShinyHunters has breached over 40 organizations in 2026 alone, with confirmed victims including Carnival, ADT, Charter Communications, Rockstar Games, and the European Commission. The group executed a widespread data theft campaign targeting Salesforce cloud customers beginning in June of 2025 and has since been linked to a sprawling series of attacks across industries. The Cushman attack fits the pattern precisely using a vishing call that socially engineered an employee, likely targeting Salesforce credentials or access.

Qilin is a different kind of threat with a different operational model and an equally alarming track record. First identified in 2022 under the name Agenda, the group has grown from a relatively obscure operation into one of the most prolific ransomware gangs tracked by global cybersecurity agencies. Its targets span healthcare, education, manufacturing, and media, chosen for their low tolerance for downtime and their likelihood of paying. Qilin claimed over 1,000 victims on its leak site in 2025 alone, listed at a rate of more than 40 victims per month in the second half of the year. In 2026 alone, the group has posted over 500 victim organizations, making it one of the most active ransomware operations in the world. What makes Qilin particularly dangerous is its technical evolution. The group has been observed stealing Google Chrome credentials before triggering encryption, abusing Windows Subsystem for Linux to evade endpoint detection, and harvesting VPN credentials to establish persistent footholds inside corporate networks. The group operates a ransomware-as-a-service model, meaning affiliates conduct attacks using Qilin’s infrastructure, which makes attribution and law enforcement intervention considerably more complex.

The dual claim of responsibility is itself worth examining carefully. When two separate cybercrime groups independently claim an attack on the same organization within days of each other, it can indicate several things. It may mean both groups genuinely accessed the organization’s systems through separate intrusions, potentially exploiting different vulnerabilities or entry points. It may mean one group is falsely claiming credit for an attack carried out by another, a form of reputational opportunism that is not uncommon in the cybercrime ecosystem. Or it may mean the initial breach by one group created exposed access that a second group also exploited before the vulnerability was closed. Qilin listed Cushman on its dark web leak site but did not provide any context or data sample, while ShinyHunters provided specifics about the data it claimed to have stolen. Security experts noted no prior collaboration between the two groups, making coordinated action unlikely. The dual attribution is more a reflection of how target-rich major real estate firms have become than any unusual coordination between criminal organizations.

A class-action lawsuit was filed against Cushman in mid-May by a commercial tenant accusing the firm of failing to protect client personal information and of negligence by failing to make security practice updates before the breach occurred. The plaintiff claimed that the data breach resulted in spam and scam emails, text messages, and phone calls, causing anxiety and sleep disruption. That lawsuit was subsequently voluntarily dismissed without prejudice, meaning it could be refiled. Cushman characterized the complaint as baseless.

The Cushman attack was not the result of a sophisticated technical exploit. It was the result of a phone call. A vishing attack requires no technical sophistication from the attacker beyond social engineering skills, and it defeats even well-maintained technical security infrastructure if the person on the receiving end of the call can be convinced to share credentials or provide access. ShinyHunters has specifically targeted corporate support desks, with attackers impersonating IT staff and directing employees to enter connection codes that authorized actor-controlled applications. The same tactics that have successfully breached Salesforce environments across hundreds of organizations in the past year are directly applicable to any large real estate company that maintains a Salesforce CRM, which is to say a very large number of them.

Vishing resistance requires regular simulation training for any employee who handles inbound requests for access, credentials, or system changes. The verification procedures for identity confirmation during phone-based support interactions need to be both rigorous and actively enforced. Salesforce environments and other SaaS platforms need regular audits of authentication permissions, connected apps, and guest user configurations that may expose data through misconfigured access. Multi-factor authentication needs to cover every access point, not just the obvious ones.

The contractual and insurance arrangements that govern data liability need to be reviewed in light of an environment where a single phone call can expose hundreds of thousands of records and generate class-action litigation within weeks. The commercial real estate industry has been lucky to avoid the kind of high-profile cybersecurity incidents that have hit healthcare, retail, and financial services over the past several years. The Cushman & Wakefield incident is a signal that the luck may be running out.

The post The Cushman & Wakefield Cyberattack Is a Wake-Up Call for Commercial Real Estate appeared first on Propmodo.

​  

You don't have permission to register