RE/MAX Hit by Cyberattack, Customer Data Exposed in Extortion Attempt
RE/MAX Southern Africa has confirmed a cyberattack that resulted in the exposure of customer data, following an extortion attempt by a hacker group. The incident, detected on 5 March 2026, involved unauthorized access to internal systems via a brute-force attack followed by SQL injection, allowing threat actors to extract and delete sensitive information.
In an email obtained by Business Report, the hacker identifying as part of "Team Cyber Strike" claimed to have stolen 291GB of data, including backups of deleted files and AWS S3 bucket contents. The group demanded payment, stating, "Please let us know your offer," but RE/MAX rejected the blackmail attempt, reaffirming its refusal to negotiate with criminals.
In a statement to franchisees, CEO Adrian Goslett acknowledged the breach, confirming that attackers accessed personal data, including identifying numbers, email addresses, physical addresses, phone numbers, ages, and transaction-related documents (e.g., OTPs, commission records). While no data was permanently lost thanks to successful recovery from backups the company is conducting a detailed impact assessment to determine the full scope of exposed information.
RE/MAX’s response included:
- Engaging external forensic specialists and legal counsel to investigate the breach.
- Restoring affected systems from backups and stabilizing operations.
- Strengthening access controls, rotating credentials, and notifying regulatory authorities.
- Reviewing AWS activity logs and conducting device-level forensic imaging for IT personnel with S3 access.
The company emphasized that the attack reflects the growing sophistication of cyber threats across industries, not a failure of its security measures. Preliminary findings suggest the breach may have enabled identity theft, fraud, or reputational harm for affected clients, though the exact categories of compromised data are still under review.
RE/MAX has since resumed full operations, with ongoing efforts to enhance its security posture in response to the incident.
REMAX Southern Africa cybersecurity rating report: https://www.rankiteo.com/company/remaxsa
"id": "REM1773340729",
"linkid": "remaxsa",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Real Estate',
'location': 'Southern Africa',
'name': 'RE/MAX Southern Africa',
'type': 'Real Estate Company'}],
'attack_vector': ['Brute-force attack', 'SQL injection'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (identifying numbers, email '
'addresses, physical addresses, phone '
'numbers, ages, OTPs, commission '
'records)',
'type_of_data_compromised': ['Personal data',
'Transaction-related documents']},
'date_detected': '2026-03-05',
'description': 'RE/MAX Southern Africa confirmed a cyberattack resulting in '
'the exposure of customer data following an extortion attempt '
'by a hacker group. The incident involved unauthorized access '
'to internal systems via a brute-force attack followed by SQL '
'injection, allowing threat actors to extract and delete '
'sensitive information. The hacker group demanded payment but '
'RE/MAX rejected the blackmail attempt.',
'impact': {'brand_reputation_impact': 'Potential reputational harm for '
'affected clients',
'data_compromised': '291GB of data, including backups, AWS S3 '
'bucket contents, identifying numbers, email '
'addresses, physical addresses, phone numbers, '
'ages, and transaction-related documents '
'(e.g., OTPs, commission records)',
'identity_theft_risk': 'Enabled identity theft or fraud',
'operational_impact': 'Systems restored from backups; full '
'operations resumed',
'systems_affected': 'Internal systems, AWS S3 buckets'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The attack reflects the growing sophistication of cyber '
'threats across industries, not a failure of security '
'measures.',
'motivation': 'Extortion',
'post_incident_analysis': {'corrective_actions': 'Strengthening access '
'controls, rotating '
'credentials, reviewing AWS '
'activity logs, conducting '
'forensic imaging',
'root_causes': 'Brute-force attack followed by SQL '
'injection leading to unauthorized '
'access'},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'recommendations': 'Enhance security posture, conduct detailed impact '
'assessments, and strengthen access controls.',
'references': [{'source': 'Business Report'}],
'regulatory_compliance': {'regulatory_notifications': True},
'response': {'communication_strategy': 'Notifying regulatory authorities, '
'informing franchisees',
'containment_measures': 'Restoring affected systems from '
'backups, stabilizing operations',
'incident_response_plan_activated': True,
'recovery_measures': 'Reviewing AWS activity logs, conducting '
'device-level forensic imaging',
'remediation_measures': 'Strengthening access controls, rotating '
'credentials',
'third_party_assistance': 'External forensic specialists and '
'legal counsel'},
'stakeholder_advisories': 'Statement to franchisees by CEO Adrian Goslett',
'threat_actor': 'Team Cyber Strike',
'title': 'RE/MAX Hit by Cyberattack, Customer Data Exposed in Extortion '
'Attempt',
'type': 'Data Breach, Extortion',
'vulnerability_exploited': 'Unauthorized access to internal systems'}