Cushman & Wakefield Hit by Breach; Client Data Targeted in Twin Cyber Claims
Cushman & Wakefield confirms a breach exposing client records after two cyber gangs claimed access.
Why it matters: Client names and contact details were exposed, heightening risks for GDPR and US privacy law violations. Legal and compliance teams at large firms must assess incident notification duties and exposure to litigation or regulatory penalties.
- Cushman & Wakefield confirmed a cyberattack after a phone-based phishing scam compromised internal access.
- Threat group ShinyHunters claims theft of over 500,000 Salesforce records with client personally identifiable information (PII).
- A second group, Qilin, also alleges breach, placing Cushman & Wakefield on its public data leak site pending ransom demands.
- The company has yet to disclose the full scope of compromised data or its planned legal and compliance response.
Cushman & Wakefield, a leading global real estate services firm, has confirmed it suffered a data breach after cybercriminals gained internal access through a vishing—telephone phishing—attack. Both the ShinyHunters hacktivist group and Qilin ransomware gang now independently claim to have stolen sensitive information.
- ShinyHunters asserts it took more than 500,000 records from the company’s Salesforce platform, reportedly including client names, contact data, and internal business files. The group is demanding a ransom and has threatened to publish the stolen files if unpaid. (CyberNews)
- Qilin, a known ransomware syndicate, also alleges it breached Cushman & Wakefield, adding the company’s name to its public leak site. (HookPhish)
ShinyHunters and Qilin are both linked to recent large-scale attacks targeting companies with significant data assets via social engineering. No independent cybersecurity or regulatory body has yet verified the attackers’ claims, and no samples of breached data have been publicly posted as of publication.
Cushman & Wakefield operates over 400 offices in 60+ countries, processing data for global corporate clients. Its size and international reach mean a breach triggers a patchwork of legal obligations—ranging from GDPR in the EU to state and federal breach notification rules in the US.
The company said it is responding but has not yet detailed the types of data compromised, nor its strategy on ransom and regulatory reporting. For in-house counsel, the case underscores the importance of robust incident response and prompt assessment of legal notification triggers under international privacy laws.
Uncertainty remains regarding the authenticity and scope of the criminal groups’ claims, as neither independent cybersecurity experts nor regulators have confirmed the full extent.
By the numbers:
- 500,000+ — Number of Salesforce records ShinyHunters claims to have stolen
- 400+ — Cushman & Wakefield office locations potentially exposed in the breach
Yes, but: Neither independent cybersecurity experts nor regulatory authorities have verified the attackers’ breach claims or released evidence of leaked data.
What's next: Ongoing breach investigations may prompt regulatory disclosures or client notifications if claims are substantiated.