Cushman & Wakefield Hit With Class Action After Security Breach
Less than a week after confirming it was the victim of a cyberattack, a global commercial real estate titan is facing a proposed class action for allegedly failing to protect clients' personal data.
Hacker groups ShinyHunters and Qilin gained access to the personal information of current and former Cushman & Wakefield clients through a voice phishing campaign, according to the lawsuit filed May 8 in the U.S. District Court for the Southern District of New York.
The lawsuit claims that Cushman & Wakefield “lost control” of clients’ names, Social Security numbers, dates of birth, and financial information in the cyberattack, the New York Post reported.
Chicago-based Cushman & Wakefield, which also has a regional office in Midtown Manhattan, confirmed the security breach to Cybernews on May 5. The firm said the breach was a "limited data security incident" and that its operations and systems were running normally.
Cybernews reported that ShinyHunters claimed on its dark web leak site to have accessed "more than 500,000" records from Cushman & Wakefield's sales team. On May 3, the hacker group reportedly threatened to release the records if Cushman & Wakefield didn't make contact and pay an undisclosed ransom within three days.
The CRE firm was also listed on Qilin's dark web leak site on May 4, according to Cybernews.
“We are aware of this litigation and find the lawsuit to be baseless,” a Cushman & Wakefield spokesperson said in a statement to Bisnow. “The data incident referenced was very limited in scope and we’re in the process of communicating to any clients that were impacted.”
The spokesperson also confirmed that the company didn’t contact ShinyHunters.
In the lawsuit, lead plaintiff Michelle Milewski of Illinois claimed to have been flooded with scam emails, phone calls and text messages since the breach. The suit accuses Cushman & Wakefield of negligence and allegedly failing to enact industry-standard cybersecurity measures before or after the breach.
Attorneys for Milewski did not immediately return Bisnow’s request for comment.
This isn't the first time hackers have targeted the CRE industry.
A data breach at software platform SitusAMC last November allowed cyberattackers to gain access to residential mortgage data and potentially more sensitive information. Financial institutions such as JPMorgan Chase, CitiGroup and Morgan Stanley were affected by the breach, as they used the platform to originate and service real estate loans and mortgages.
Ransomware hackers also paralyzed a Georgia commercial real estate database through a cyberattack in November. The Georgia Superior Court Clerks’ Cooperative Authority was taken offline after the agency activated its defensive security protocols because of “a credible and ongoing cybersecurity threat.”
The authority announced a week later that it had thwarted the attack.
