Cushman & Wakefield Confirms Data Breach Following Dual Cyberattacks by ShinyHunters and Qilin
Real estate firm Cushman & Wakefield (C&W) has acknowledged a limited data breach after two cybercrime groups ShinyHunters and Qilin independently claimed responsibility for attacks on the company. The incident originated from a vishing (voice phishing) attack, suggesting an employee was manipulated through social engineering.
A C&W spokesperson stated that the company detected the breach, activated response protocols, and engaged third-party experts to investigate. While the company assured that systems and operations remain unaffected, it did not address the dual claims by the two threat actors.
ShinyHunters, known for its pay-or-leak extortion model, alleged it breached C&W on May 1, stealing over 500,000 Salesforce records containing PII and internal corporate data. The group set a May 6 deadline for C&W to respond before leaking the data, though no contact was reportedly made.
Meanwhile, Qilin, currently ranked as the world’s most prolific ransomware group, listed C&W on its leak site on May 4 but did not disclose attack details. The timing of the two incidents appears coincidental, as there is no known collaboration between the groups.
ShinyHunters has been particularly active in recent months, claiming responsibility for high-profile breaches, including a supply chain attack on Salesforce in March that exposed data from over 100 customers. Other victims linked to the group include ADT, Carnival Cruise Line, Rockstar Games, and Vimeo, though not all attacks were directly tied to the Salesforce compromise.
Source: https://www.theregister.com/2026/05/05/cushman_wakefield/
Salesforce TPRM report: https://www.rankiteo.com/company/salesforce
Carnival Cruise Line TPRM report: https://www.rankiteo.com/company/carnival-corporation
Cushman & Wakefield TPRM report: https://www.rankiteo.com/company/cushman-&-wakefield
ADT TPRM report: https://www.rankiteo.com/company/adt
"id": "caradtsalcus1778027258",
"linkid": "carnival-corporation, adt, salesforce, cushman-&-wakefield",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'real estate',
'name': 'Cushman & Wakefield',
'type': 'company'}],
'attack_vector': 'vishing (voice phishing)',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 'over 500,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['PII',
'internal corporate data']},
'description': 'Real estate firm Cushman & Wakefield (C&W) has acknowledged a '
'limited data breach after two cybercrime groups ShinyHunters '
'and Qilin independently claimed responsibility for attacks on '
'the company. The incident originated from a vishing (voice '
'phishing) attack, suggesting an employee was manipulated '
'through social engineering.',
'impact': {'data_compromised': 'over 500,000 Salesforce records containing '
'PII and internal corporate data',
'identity_theft_risk': 'PII exposed',
'operational_impact': 'systems and operations remain unaffected'},
'initial_access_broker': {'entry_point': 'vishing (voice phishing)'},
'investigation_status': 'ongoing',
'motivation': ['extortion', 'data theft'],
'references': [{'source': 'Cyber Incident Description'}],
'response': {'incident_response_plan_activated': True,
'third_party_assistance': True},
'threat_actor': ['ShinyHunters', 'Qilin'],
'title': 'Cushman & Wakefield Data Breach Following Dual Cyberattacks by '
'ShinyHunters and Qilin',
'type': ['data breach', 'extortion'],
'vulnerability_exploited': 'social engineering'}