Cyber Incident Victim: Colliers International Group

Colliers International Group, a Toronto-based commercial real estate services firm, experienced a cyberattack in November 2020. The company publicly acknowledged the incident after being confronted by IT World Canada regarding evidence of the attack posted on the dark web. A ransomware group identified as "Netfilm" (likely a misspelling of NetWalker) claimed responsibility for the breach and listed Colliers' data on their dark web leak site, indicating they had successfully exfiltrated company files prior to encryption. The listing served as proof that attackers had accessed and copied sensitive information from Colliers' systems. Despite this public evidence of data theft, Colliers declined to confirm whether ransomware was involved in the incident when questioned by media outlets. The company spokesperson verified only that a cyberattack had occurred, without providing additional technical details about the intrusion vector, scope of compromised systems, or specific data types affected. The timing of the dark web listing relative to the November attack timeline suggests the threat actors operated undetected for a period before executing their ransomware payload and exfiltration efforts.

The attackers' publication of stolen data demonstrated successful network penetration and established that Colliers suffered a data breach beyond mere system encryption. The company's refusal to confirm the ransomware component contrasted with standard incident disclosure practices when faced with irrefutable evidence of data exfiltration. No details were released regarding containment measures, forensic investigations, or potential operational disruptions resulting from the attack. The absence of confirmed information about data types left stakeholders uncertain about potential exposure risks, though the ransomware group's typical targets included financial documents, client information, and corporate communications. Colliers did not disclose whether they engaged with the threat actors, paid any ransom demands, or implemented specific remediation steps following the attack. The incident highlighted ongoing challenges in corporate transparency regarding ransomware impacts, particularly when attackers publicly validate breach claims through data dumps.