Cushman & Wakefield said it activated incident response protocols after separate threats from ShinyHunters and Qilin, as the real estate services firm dealt with a limited data security incident tied to vishing. The company said it had moved to contain unauthorized activity and brought in third-party expert advisers while its systems and operations continued to run normally.
A company spokesperson said Cushman & Wakefield recently became aware of the incident and was working to investigate it, adding that the firm takes the protection of sensitive data seriously. The disclosure puts the company at the center of two separate cyber claims that surfaced within days of one another: ShinyHunters said it attacked the firm on May 1, while Qilin later listed Cushman & Wakefield on its data leak site on May 4.
ShinyHunters said it had stolen more than 500,000 Salesforce records containing personally identifiable information and other internal corporate data, and set a May 6 deadline for Cushman & Wakefield to make contact to prevent the information from being leaked. The group said that contact had not yet happened. Qilin’s listing and the ShinyHunters claim have not been linked by any established coalition, and the timing suggests separate attacks that landed on the same target almost simultaneously.
The episode comes as ShinyHunters has been tied to a new wave of activity that began in March, after the group claimed a supply chain attack that breached Salesforce customers through Salesforce itself. At the time, it said it had stolen data belonging to Salesforce and more than 100 of its high-profile customers, and major brands including ADT, Carnival Cruise Line, Rockstar Games and Vimeo have since confirmed ShinyHunters-linked cyberattacks.
ShinyHunters operates a pay-or-leak model, and Qilin is currently viewed as the world’s most prolific ransomware group. For Cushman & Wakefield, the immediate question is not whether its business can keep running — the company says it can — but whether the data tied to these claims will surface and how much damage the separate campaigns may ultimately do.
