Cushman & Wakefield
Vishing attack led to Salesforce compromise. ShinyHunters and Qilin extracted 500,000+ records including Social Security numbers, financial data, and tenant information. Now subject to proposed class action litigation.
What happened?
In May 2026, ShinyHunters and Qilin ransomware groups compromised Cushman & Wakefield through a vishing attack—voice phishing targeting employees to gain system access. The attackers successfully penetrated the company's Salesforce platform and exfiltrated over 500,000 records containing tenant and client information. The breach has already become the subject of proposed class action litigation in the United States.
What data was actually inside?
Social Security numbers, driver's license numbers, financial account information, and comprehensive tenant and client details from Cushman & Wakefield's Salesforce CRM. For a commercial real estate firm, Salesforce contains the entire business relationship infrastructure—lease negotiations, property management contacts, corporate tenant information, and financial arrangements.
The inclusion of Social Security numbers and driver's licenses indicates this wasn't just corporate contact data. Background checks for tenant applications, property management records, and financial qualification documents all flow through the Salesforce platform. Half a million records means years of tenant relationships, building management agreements, and corporate real estate transactions now in attacker hands.
Who gets hurt and how?
Commercial tenants, building managers, property owners, and individual renters who interacted with Cushman & Wakefield now have their Social Security numbers and financial information exposed. This is identity theft fuel—SSNs enable fraudulent credit applications, tax fraud, and financial account takeovers.
Corporate clients face business intelligence exposure. Lease terms, expansion plans, space requirements, and financial arrangements documented in Salesforce reveal competitive strategy. A company's real estate footprint tells competitors about growth plans, office consolidations, and market presence. That information now belongs to anyone willing to buy it from ShinyHunters or Qilin.
What did they think they were doing right?
Cushman & Wakefield used Salesforce—enterprise-grade, cloud-hosted, professionally managed CRM infrastructure. They implemented the platform to centralize client relationships, streamline property management, and maintain tenant records securely. Salesforce's security model includes access controls, encryption, and audit logging.
But technical security controls don't stop vishing attacks. An employee convinced by a phone call to provide credentials or approve access bypasses every firewall, every authentication system, every encryption layer. The attackers didn't break Salesforce's security—they convinced someone with legitimate access to let them in.
What did they not know about their own data?
Commercial real estate firms accumulate client data across decades of tenant relationships. Every lease application, every background check, every financial qualification review adds more personal information to the CRM. Cushman & Wakefield's Salesforce instance contained Social Security numbers—highly sensitive data requiring specific protection under federal and state law.
The presence of SSNs in Salesforce raises data inventory questions. Did Cushman & Wakefield know exactly which Salesforce fields contained Social Security numbers? Which properties' tenant records included driver's licenses? How many years of historical application data sat in the system? The class action litigation suggests they may not have fully understood what PII existed in their own CRM until attackers exfiltrated it.
If you use Salesforce, you probably have the same data types—emails, names, addresses, phone numbers. Do you know which fields contain PII?
What does attribution look like the morning after?
ShinyHunters and Qilin now possess 500,000+ records with Social Security numbers and financial data. Cushman & Wakefield faces proposed class action litigation from victims whose PII was exposed. State attorneys general in every jurisdiction where those 500,000 records reside will demand notification, explanation, and potentially penalties.
For individuals, the exposure is permanent. Social Security numbers cannot be changed except under extreme circumstances. Every person whose SSN was in that Salesforce instance now carries lifelong identity theft risk. Credit monitoring services offered as part of breach response provide temporary protection for permanent exposure.
What would have changed the outcome?
Knowing that Social Security numbers existed in Salesforce and implementing data minimization before attackers found them.
An organization that inventoried its Salesforce data would have discovered those SSNs years ago. They could have purged historical Social Security numbers no longer needed for business operations, moved sensitive PII to separate secure systems, or implemented field-level encryption and access restrictions specifically for SSN fields. Class action litigation was filed because highly regulated PII was stored in a CRM accessible through social engineering.
Vishing attacks will continue to succeed against some percentage of employees. But if attackers compromise a Salesforce instance containing only names, emails, and business contact information—not Social Security numbers—the breach notification is very different from one exposing half a million SSNs. Not knowing what sensitive data lives in which systems means learning from your litigation discovery process.
Cushman & Wakefield found out the hard way.
Your team could spend the next 6 months rebuilding systems, notifying customers, and answering legal questions. Or you could spend 24 hours finding out what's actually at risk.