1 hour ago
3
Cushman & Wakefield has been hit with a double whammy.
First, the global real estate giant was the victim of a cyberattack — and now it faces a proposed class action for allegedly failing to protect former and current clients’ personal information.
Commercial tenant Michelle Milewski, of Illinois, filed the proposed class action last Friday, just days after hacker groups notorious “ShinyHunters” and “Qilin,” a Russian-speaking cybercrime gang, infiltrated the firm’s systems, according to the federal complaint obtained by The Post from the Southern District of New York.
C&W — a behemoth with revenue of $10.3 billion in 2025 alone — “lost control over that data,” exposing “a litany of highly sensitive personal identifiable information about its current and former clients and tenants,” due to a successful “vishing” attempt, per the suit. Vishing, or “voice phishing,” is a form of cybercrime involving phone calls or voice messages to trick people into revealing sensitive information.
In the case with C&W, that information included people’s names, dates of birth, social security numbers, driver’s license numbers and financial information.
Milewski, who could not be reached for comment, had already been subjected to identity theft and fraud with unauthorized third parties attempting to open new credit cards in her name and trying to update her mailing address and account information for her debit card, per the court document. Since the data breach, she has allegedly been inundated with spam and scam emails, text messages and phone calls. The stress has caused Milewski anxiety and sleep disruption, the court document adds.
Milewski’s attorneys did not respond to The Post’s requests for comment.
“We are aware of this litigation and find the lawsuit to be baseless,” a C&W spokesperson told The Post in a statement. “The ShinyHunters data incident referenced was very limited in scope and we’re in the process of communicating to any clients that were impacted.”
ShinyHackers threatened to release the data if C&W didn’t reach out to them, a screenshot in the court document shows. “Make the right decision, don’t be the next headline,” the message read.
C&W did not engage with the hacker group, the spokesperson confirmed.
Milewski’s case was filed in New York because, though C&W’s global headquarters is in Chicago, the company maintains a major regional office at 1290 Ave. of the Americas in Midtown Manhattan.
The suit accuses the firm of “negligence” and failing to make changes to its security practices before and in the wake of the breach.
“Defendant failed to implement industry-standard cybersecurity measures, including failing to meet the minimum standards,” the court filing reads.
Meanwhile, a former employee at C&W filed a class-action suit in March, saying the firm failed to properly monitor and protect its employee 401(k) plan from “climate-related financial risks,” according to a press release.
“I was disappointed to learn how exposed my savings were to climate-related financial risks, especially when the company clearly understood those risks in its own operations,” lead plaintiff and former C&W employee Renee Kvek said in prepared remarks. “Like most of my colleagues, my ability to retire depends on the growth and safety of my 401(k) account.”
C&W declined to comment on that case.
English (US)