Cyberattack puts real estate data security in focus
A recent cyberattack on a global real estate firm is raising fresh concerns about how companies protect customer, tenant and transaction data. Propmodo reported the May incident involved vishing, or voice phishing, underscoring the need for employee training, access controls and verification procedures.
A recent cyberattack on Cushman & Wakefield is raising new questions about how commercial real estate firms protect the large amount of customer, tenant and transaction data that moves through their systems every day.
According to Propmodo, Cushman & Wakefield confirmed the company experienced a limited data security incident in early May tied to “vishing,” or voice phishing. In that type of attack, a person is tricked over the phone into sharing credentials, access codes or other information that can give a cybercriminal a way into company systems.
A Cushman & Wakefield spokesperson said the company “recently became aware of a limited data security incident due to vishing” and had “activated its response protocols, including taking steps to contain the unauthorized activity and engaging third-party expert advisors to support a comprehensive response.” The company also said its systems and operations continued to run normally.
The incident is notable because Cushman & Wakefield is one of the world’s largest commercial real estate services firms, with operations in more than 60 countries. Large real estate firms often hold customer financial records, tenant information, transaction histories, lease documents and contact data, making them attractive targets for cybercriminals.
Propmodo reported that two separate cybercrime groups, ShinyHunters and Qilin, claimed responsibility for activity involving Cushman & Wakefield within days of each other. ShinyHunters claimed it stole more than 500,000 Salesforce records containing personally identifiable information and internal corporate data, while Qilin also listed the company on its dark web leak site. The reporting noted that the full scope of the incident and the relationship, if any, between the claims were not fully established.
The takeaway for the broader commercial real estate industry is less about one company and more about how cyber risks are changing. The reported entry point was not a complex software exploit. It was a phone call. That means employee training, identity verification procedures and controls around customer relationship management systems can be just as important as traditional IT defenses.
For brokerages, property management firms and other real estate businesses, the incident is a reminder to review who has access to sensitive systems, how employees verify unusual requests and whether cybersecurity training reflects the kinds of social engineering attacks companies are actually seeing. Propmodo noted that vishing resistance requires regular simulation training for employees who handle access, credentials or system changes, along with audits of authentication permissions, connected apps and other software settings.
The Cushman & Wakefield incident does not mean every real estate company is facing the same level of risk. But it does show that real estate data has value, and that even routine business tools can become targets when criminals can talk their way past security procedures.
© 2026 Florida Realtors®