- A proposed class action alleges Cushman & Wakefield failed to protect client data after hackers reportedly accessed sensitive personal and financial information.
- Cybernews reported that hacker group ShinyHunters claimed access to more than 500,000 sales-team records and threatened to release the data unless a ransom was paid.
- The lawsuit adds to growing cybersecurity concerns across commercial real estate as firms and service providers become larger targets for ransomware and phishing attacks.
Commercial real estate giant Cushman & Wakefield is facing a proposed class action lawsuit less than a week after confirming a cybersecurity breach that allegedly exposed sensitive client data, reports Bisnow. The lawsuit, filed May 8 in the US District Court for the Southern District of New York, claims hackers gained access to personal information through a voice phishing campaign tied to cybercrime groups ShinyHunters and Qilin.
The Chicago-based brokerage confirmed the breach to Cybernews on May 5, describing it as a “limited data security incident” that did not disrupt company operations. The firm said it is notifying affected clients while disputing the legal claims tied to the incident.
Get Smarter about what matters in CRE
Stay ahead of trends in commercial real estate with CRE Daily – the free newsletter delivering everything you need to start your day in just 5-minutes
A Phishing Campaign Targeting CRE Data
According to the lawsuit and reporting from Cybernews, hackers accessed names, Social Security numbers, birth dates, and financial information belonging to current and former Cushman & Wakefield clients. The New York Post reported that plaintiffs accused the brokerage of “losing control” of the data and failing to implement adequate cybersecurity protections.
Lead plaintiff Michelle Milewski, an Illinois resident, alleged in the complaint that she experienced a surge in scam phone calls, emails, and text messages after the breach became public. The lawsuit accuses Cushman & Wakefield of negligence and failing to adopt industry-standard security safeguards before and after the attack.
The Details
Cybernews reported that ShinyHunters claimed on its dark web leak site to possess more than 500,000 records tied to Cushman & Wakefield’s sales operations. The group allegedly demanded ransom payment and threatened on May 3 to release the data within three days if the brokerage did not respond.
Qilin, another ransomware group, also reportedly listed Cushman & Wakefield on its leak site on May 4, according to Cybernews. A company spokesperson told Bisnow that the brokerage did not engage with ShinyHunters and considers the lawsuit “baseless.”
“We are aware of this litigation and find the lawsuit to be baseless,” the spokesperson said in a statement to Bisnow. “The data incident referenced was very limited in scope and we’re in the process of communicating to any clients that were impacted.”
Cybersecurity Risks Spread Across CRE
The incident is the latest reminder that commercial real estate firms and vendors remain vulnerable to increasingly sophisticated cyberattacks. CRE companies manage large volumes of financial records, investor data, tenant information, and transaction documents, making them attractive targets for ransomware groups and phishing operations.
The breach follows several other high-profile CRE-related cyber incidents over the past year. In November 2025, software platform SitusAMC disclosed a breach affecting mortgage and loan servicing data tied to major financial institutions including JPMorgan Chase, CitiGroup, and Morgan Stanley. That same month, the Georgia Superior Court Clerks’ Cooperative Authority temporarily shut down systems after detecting what it called a “credible and ongoing cybersecurity threat” targeting its real estate database infrastructure. The incident also comes as brokerages navigate broader market uncertainty that has started influencing leasing and investment decisions across the sector.
Why It Matters
Cybersecurity threats are becoming a larger operational and reputational risk for brokerages, lenders, and property technology platforms as more real estate workflows move online. Data breaches can expose firms to litigation, regulatory scrutiny, ransom demands, and client trust issues that extend well beyond the initial incident.
The financial consequences are also climbing. According to IBM’s 2025 Cost of a Data Breach Report, the average US data breach cost reached $9.48M in 2025, with phishing remaining one of the most common attack vectors. For global brokerages handling sensitive financial and tenant data, the stakes are particularly high.
What’s Next
Cushman & Wakefield will likely face increased scrutiny over its cybersecurity protocols as the lawsuit moves through federal court. The case could also push other CRE firms to reassess employee training, vendor security standards, and phishing defenses as ransomware groups continue targeting real estate organizations with large data footprints.
