Skip to main content
Emerging ThreatsMalware & Ransomware

Cushman & Wakefield Discloses Vishing Incident Amid Dual Ransomware Threats

Office desk with phone in foreground and blurred person in background.

"Cushman & Wakefield recently became aware of a limited data security incident due to vishing," a spokesperson told The Register, adding the firm had "activated our response protocols" and engaged outside advisors to investigate.

Company statement: vishing, containment, and normal operations

Cushman & Wakefield (C&W) confirmed what it called a "limited" data security incident and attributed the initial compromise to vishing — voice phishing that suggests an employee was socially engineered. The company said it had taken steps to contain the unauthorized activity and had engaged third‑party expert advisors to support a "comprehensive response." In its statement to The Register C&W also said, "Our systems and operations continue to run normally," and that it was "working diligently to investigate the incident."

Two separate claims: ShinyHunters on May 1, Qilin listing on May 4

Two criminal groups have publicly asserted they targeted C&W. ShinyHunters told The Register it carried out an attack on May 1. Separately, the group known as Qilin listed Cushman & Wakefield on its data leak site on May 4. C&W did not address the apparent dual targeting; the timing and the absence of any reported coalition between the two groups suggest the incidents are separate but coincidentally timed.

ShinyHunters' claim: "over 500,000 Salesforce records" and a May 6 deadline

ShinyHunters claimed it stole "over 500,000 Salesforce records containing PII and other internal corporate data." The group set a May 6 deadline for C&W to make contact to prevent the data from being leaked, and said that, at the time of its message to The Register, C&W had not yet responded. The claim follows a wave of activity from ShinyHunters that began in March, when it said it had accessed Salesforce and stolen data belonging to Salesforce and more than 100 of its customers. Since then, ShinyHunters has been publicly linked to incidents affecting brands including ADT, Carnival Cruise Line, Rockstar Games and Vimeo, though not all of those follow‑on disclosures were explicitly tied to the Salesforce compromise.

Qilin's listing and the ransomware context

Qilin's data leak listing for C&W did not include technical details or an explanation of how the group allegedly gained access. The Register noted Qilin is "currently viewed as the world's most prolific ransomware group." That description frames the group's presence on a leak site as a hallmark of ransomware activity, though the listing itself did not specify ransom demands or method of compromise in this instance.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: The attribution to vishing points to social‑engineering risks; teams will likely examine telephony controls, training programs, and incident‑response playbooks while cooperating with outside advisors as C&W has done.
  • Affected enterprises and procurement leaders: Organizations that use the same CRM platforms or third‑party services named in the chain of commerce will watch whether the claimed "over 500,000 Salesforce records" include cross‑customer exposure and whether disclosure from C&W or others prompts broader notifications.
  • End users and the public: If the ShinyHunters claim about records containing personally identifiable information is accurate, impacted individuals could face increased phishing or fraud risk depending on what data was included and whether the May 6 deadline expired without resolution.

The public record in The Register establishes three narrow but consequential facts: C&W acknowledges a vishing‑driven incident and has mobilized containment and external advisors; ShinyHunters claims a large Salesforce‑related haul and set a May 6 contact deadline after a May 1 attack claim; and Qilin appeared on a leak site on May 4 without detailing its means. Whether those threads converge into a single, larger compromise or remain distinct episodes will depend on the conclusions of C&W's ongoing investigation and any subsequent disclosures from the company or the groups involved.

Source: The Register reporting on Cushman & Wakefield