Cyber Incident Victim: Cushman & Wakefield
Date:
May 2026
Location:
United States of America
Summary
Cushman & Wakefield suffered a cyberattack carried out by the hacker groups ShinyHunters and Qilin, who used a vishing scheme to obtain names, dates of birth, social security numbers, driver’s license numbers and financial data of current and former clients. The exposed information led to a proposed class action alleging negligence, with plaintiff Michelle Milewski reporting identity theft, fraudulent credit‑card attempts, and ongoing spam that caused anxiety and sleep disruption. The company said the lawsuit is baseless, describing the breach as limited in scope and noting it is contacting affected individuals. A separate class action filed by a former employee claims the firm failed to monitor its 401(k) plan for climate‑related financial risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 12, 2026, a news article reported that Cushman & Wakefield had become the target of a proposed class action filed by commercial tenant Michelle Milewski of Illinois just days after hacker groups ShinyHunters and Qilin infiltrated the firm’s systems. The intrusion was described as a successful vishing attack in which attackers used phone calls or voice messages to trick employees into revealing sensitive information, resulting in the loss of control over personal data. According to the court filing, the exposed information included names, dates of birth, social security numbers, driver’s license numbers, and financial details of current and former clients and tenants. Milewski stated that she had already experienced identity theft and fraud, with unauthorized parties attempting to open new credit cards in her name and to alter her debit card mailing address and account information. Following the breach, she reported receiving a surge of spam and scam emails, text messages, and phone calls, which caused her anxiety and sleep disruption.
A Cushman & Wakefield spokesperson told the publication that the company was aware of the litigation and considered the lawsuit baseless, describing the ShinyHunters data incident as limited in scope and stating that the firm was in the process of notifying any affected clients. The spokesperson also said that ShinyHunters had threatened to release the stolen data unless Cushman & Wakefield contacted them, citing a screenshot from the court document that read, “Make the right decision, don’t be the next headline.” The spokesperson confirmed that Cushman & Wakefield did not engage with the hacker group. The class action complaint accuses the firm of negligence and of failing to update its security practices before and after the breach. In a separate matter, a former employee filed a class‑action suit in March alleging that Cushman & Wakefield had not adequately monitored or protected its employee 401(k) plan from climate‑related financial risks, according to a press release.
Milewski’s case was filed in New York because, although Cushman & Wakefield’s global headquarters is in Chicago, the company maintains a major regional office at 1290 Avenue of the Americas in Midtown Manhattan. The lawsuit asserts that the defendant failed to implement industry‑standard cybersecurity measures and did not meet minimum security standards. The spokesperson’s characterization of the incident as “very limited in scope” contrasts with the allegations of widespread exposure of sensitive personal information in the complaint. No further details about the specific systems compromised, the timeline of detection, or containment efforts were provided in the article.