Cushman & Wakefield Faces Class Action After Major Data Breach Exposing Client Information

Severity: High (Score: 68.0)

Sources: Gbhackers, Bisnow

Summary

Cushman & Wakefield confirmed a data breach affecting over 310,000 accounts, attributed to a cyberattack by hacker groups ShinyHunters and Qilin. The breach involved a voice phishing campaign that compromised personal data, including names, Social Security numbers, and financial information. Following the attack, ShinyHunters threatened to leak the data unless a ransom was paid. A class action lawsuit was filed on May 8, 2026, claiming negligence on the part of Cushman & Wakefield for failing to implement adequate cybersecurity measures. The company described the incident as a 'limited data security incident' and stated that operations were normal. The breach has led to increased scam communications for affected clients. The incident highlights ongoing risks in the commercial real estate sector, which has faced multiple cyberattacks recently. Key Points: • Cushman & Wakefield's data breach affects over 310,000 accounts. • The breach was executed through a voice phishing campaign by ShinyHunters and Qilin. • A class action lawsuit claims negligence in cybersecurity measures by the firm.

Key Entities

• Data Breach (attack_type)
• Phishing (attack_type)
• Ransomware (attack_type)
• Citigroup (company)
• Cushman & Wakefield (company)
• JPMorgan Chase (company)
• Morgan Stanley (company)
• SitusAMC (company)
• CWE-200 - Exposure of Sensitive Information (cwe)
• Real Estate (industry)
• T1486 - Data Encrypted for Impact (mitre_attack)
• T1566 - Phishing (mitre_attack)
• T1567 - Exfiltration Over Web Service (mitre_attack)