Cyber Incident Victim: Gaedeke Group
Date:
Jun 2021
Location:
United States of America
Summary
Gaedeke Group experienced a data breach when an unauthorized party accessed multiple employee email accounts, compromising sensitive personal information including names, addresses, Social Security numbers, driver’s license and passport details, and medical data of employees, suppliers, and other individuals. The company secured affected accounts, engaged forensic investigators, and notified impacted parties after determining the scope of exposed data. As a Texas-based real estate firm managing office properties across several U.S. states, the incident exposed vulnerabilities in email account security, though the specific intrusion method was not disclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 28, 2022, Gaedeke Group, LLC publicly confirmed a data breach resulting from unauthorized access to multiple employee email accounts. The Dallas-based real estate company discovered that an unauthorized party or parties had infiltrated these accounts between June 28, 2021, and August 24, 2021—a period spanning nearly two months. Upon identifying the intrusion, Gaedeke immediately secured the compromised email accounts and engaged a cybersecurity forensics firm to investigate the incident's scope and origin. The forensic review determined that sensitive personal information belonging to employees, suppliers, and associated individuals had been exposed during the breach. Compromised data categories included full names, physical addresses, Social Security numbers, driver’s license numbers, passport numbers, and specific medical information, with the exact combination varying per affected individual. The company completed its analysis of the impacted files and finalized the list of victims approximately eleven months after the unauthorized access period concluded.
Gaedeke Group formally notified all affected parties through data breach letters dispatched on July 28, 2022, exactly one year after the initial intrusion window began. The notification outlined the types of exposed personal data but did not disclose the total number of impacted individuals or the specific method of initial account compromise. Founded in 1995, the company manages 3 million square feet of office properties across Arizona, Texas, Florida, New York, and Washington, D.C., employing over 100 staff and generating approximately $25 million in annual revenue. Its operations include real estate investment, acquisitions, leasing, property management, and construction services for corporate clients, amplifying the potential exposure of sensitive tenant and vendor data. The breach investigation did not reveal evidence of subsequent misuse of the stolen information prior to the notification date. No ransomware deployment, system encryption, or operational disruption beyond the email account compromise was reported in the company’s disclosure.