Cushman & Wakefield Data Breach Class Action, Hacker Group Reportedly Affected 310K Accounts Hers What Happened and Who Is Affected
Cushman & Wakefield Inc. is facing a proposed class action lawsuit filed in the U.S. District Court for the Southern District of New York, accusing the global commercial real estate company of failing to protect current and former clients’ confidential information from hackers who breached its systems. The company confirmed the attack stemmed from a vishing incident — a voice phishing technique where an employee was socially engineered over the phone. The breach was indexed on Have I Been Pwned on May 12, 2026, confirming the exposure of exactly 310,400 accounts. No settlement exists. No claim form is open. This article explains what happened and what your options are right now.
Quick Facts: Cushman & Wakefield Data Breach Lawsuit
| Field | Detail |
| Lawsuit Filed | May 11, 2026 |
| Defendant | Cushman & Wakefield Inc. |
| Case Name | Milewski v. Cushman & Wakefield, Inc. |
| Court & Jurisdiction | U.S. District Court, Southern District of New York |
| Alleged Violation | Negligence; failure to protect personally identifiable information (PII) |
| Who Is Affected | Current and former clients and employees whose data was exposed in the May 2026 breach |
| Breach Confirmed | May 2026 — via vishing (voice phishing) attack |
| Threat Actor | ShinyHunters (and separately, Qilin ransomware group) |
| Records Exposed | 310,400 accounts confirmed by Have I Been Pwned (May 12, 2026) |
| Current Court Stage | Proposed class action — no class certified, no settlement reached |
| Lead Law Firm | TBD — complaint filed; lead counsel not yet confirmed in public records |
| Next Hearing Date | TBD — case was filed May 11, 2026; no hearing scheduled yet |
| Official Case Website | TBD — none established yet |
| Last Updated | May 13, 2026 |
What Is the Cushman & Wakefield Lawsuit About? Milewski v. Cushman & Wakefield, Inc., S.D.N.Y. (Filed May 11, 2026)
Headquartered in Chicago, Cushman & Wakefield serves thousands of high-profile companies, managing roughly 5.1 billion square feet of space and 144,000 multi-unit properties across the U.S. The Fortune 500 firm has more than 400 offices in over 60 countries and employs about 52,000 professionals worldwide, with total revenue of $10.3 billion in 2025. The company sits at the center of commercial real estate transactions involving some of the most sensitive business and client data in the industry.
In early May 2026, two separate cybercrime groups — ShinyHunters and Qilin — each claimed responsibility for attacks on Cushman & Wakefield. ShinyHunters claimed it attacked the company on May 1 and stole over 500,000 Salesforce records containing personally identifiable information and other internal corporate data. Qilin listed Cushman & Wakefield on its dark web leak site on May 4. Cushman & Wakefield confirmed the breach in a statement, calling it a “limited data security incident due to vishing” and saying it had activated response protocols and brought in third-party expert advisors.
When Cushman & Wakefield refused to pay the ransom, ShinyHunters publicly released the stolen data. The leaked records consisted mostly of internal Cushman & Wakefield employee email addresses, along with tens of thousands of external client and partner contact records, including names, job titles, company addresses, and phone numbers. The lawsuit, filed the following day on May 11, 2026 in the Southern District of New York, accuses the company of negligence — specifically that it failed to implement reasonable security measures to protect client data from exactly this type of attack. This is the same legal theory behind similar identity theft lawsuit cases that have reached federal courts across the country. For context on how these corporate breach cases typically proceed, the Citizens Bank data breach class action lawsuit — also filed in 2026 following a ransomware group’s theft of client records — shows the typical path from complaint to class certification.
Are You Part of the Cushman & Wakefield Class Action Lawsuit?
If you are wondering whether this lawsuit includes you, here is how to think about it. The proposed class has not been formally certified yet, but here is what the complaint targets.
You may be part of this class if:
- You are a current or former client of Cushman & Wakefield whose contact information, business records, or personally identifiable information was stored in the company’s systems as of May 2026
- You are a current or former employee whose internal email address, job title, or professional contact details were exposed in the breach
- You are a business partner, vendor, or third-party contact whose information was held in Cushman & Wakefield’s Salesforce CRM or related systems
- Your name, email address, job title, company address, or phone number was included in the leaked dataset, which was confirmed and indexed by Have I Been Pwned on May 12, 2026
You are likely NOT included if:
- You have no business relationship with Cushman & Wakefield and never shared data with the firm
- Your information was not stored in the affected systems at the time of the May 2026 attack
You can check whether your email address appeared in the breach at haveibeenpwned.com — that is the fastest way to confirm your data was exposed. Most class members in a data breach compensation case like this are automatically included once the court certifies the class. You do not need to file anything right now.
Related article: Sezzle Sued Shopify Faces Antitrust Lawsuit Over BNPL Market Are You Affected as a Merchant?
What Are Cushman & Wakefield Plaintiffs Seeking?
This is not a payout section — no money is available yet and no settlement has been proposed. Here is what the lawsuit is asking the court to order.
The proposed class accuses Cushman & Wakefield of not doing enough to protect current and former clients’ confidential information from hackers. Based on the legal theories common to this type of data privacy attorney case — negligence, negligence per se, and breach of implied contract — the complaint seeks compensatory damages for the risk of identity theft and future harm, reimbursement of out-of-pocket costs victims incur protecting themselves, and injunctive relief requiring Cushman & Wakefield to overhaul its data security practices.
Security experts warn that even though this breach did not expose credit card or Social Security numbers, comprehensive corporate directories are highly valuable to cybercriminals. Armed with exact names, job titles, and internal email formats, attackers can craft convincing spear-phishing campaigns that target victims or their employers months after the original breach. Plaintiffs will argue that ongoing exposure to targeted phishing is real, compensable harm — the same argument courts have accepted in dozens of similar corporate breach cases.
No specific dollar amount has been filed with the court. No settlement has been offered. Cushman & Wakefield has not yet filed a formal response to the complaint.
What Should You Do If Your Data Was Exposed by Cushman & Wakefield?
Most people affected by this breach do not need to do anything to stay in the lawsuit right now. If the court certifies the class, you will be included automatically unless you choose to opt out. Here are the practical steps that protect you regardless of how the litigation proceeds.
- Check haveibeenpwned.com using your work and personal email addresses to confirm whether your information appeared in the leaked dataset
- Be alert to spear-phishing attempts — attackers who downloaded the Cushman & Wakefield data now know your name, job title, and employer, which makes fake emails and calls far more convincing than generic phishing
- Do not click unexpected links claiming to be from Cushman & Wakefield, related vendors, or law firms offering to represent you — verify everything independently
- Save any breach notification letter you received from Cushman & Wakefield — this will be your key proof of membership in any future settlement class
- Monitor the PACER federal court docket for Milewski v. Cushman & Wakefield, Inc. in the Southern District of New York for case updates
- If you want to pursue an individual claim rather than waiting for the class action, consult a consumer rights lawyer who handles data privacy cases — but understand that individual litigation is expensive and class actions typically deliver faster results for most people
Cushman & Wakefield Data Breach Lawsuit Timeline
| Milestone | Date |
| ShinyHunters Claims Attack on Cushman & Wakefield | May 1, 2026 |
| Qilin Lists Cushman & Wakefield on Dark Web Leak Site | May 4, 2026 |
| Cushman & Wakefield Confirms Breach | May 5, 2026 |
| ShinyHunters Publicly Releases Stolen Data | May 2026 (after ransom deadline passed) |
| Have I Been Pwned Indexes Breach (310,400 accounts) | May 12, 2026 |
| Class Action Filed in S.D.N.Y. | May 11, 2026 |
| Class Certification Motion | TBD — not yet filed |
| Next Scheduled Hearing | TBD — case is days old as of publication |
| Expected Settlement Timeline | TBD — litigation is in its earliest stage |
Frequently Asked Questions
Is there a class action lawsuit against Cushman & Wakefield?
Yes. A proposed class action named Milewski v. Cushman & Wakefield, Inc. was filed in the U.S. District Court for the Southern District of New York on May 11, 2026. The lawsuit accuses the company of failing to protect client and employee data from a vishing-based cyberattack.
Do I need to do anything right now to be included in the Cushman & Wakefield lawsuit?
No. In most data breach class actions, class members are automatically included once the court certifies the class. You do not need to file a claim form or contact anyone at this stage. Save your breach notification letter if you received one and monitor the case for updates.
When will a settlement be reached in the Cushman & Wakefield case?
TBD — the complaint was filed May 11, 2026, and the case is in its earliest stage. No class has been certified and no settlement discussions have been publicly disclosed. Data breach class actions typically take one to three years to reach a settlement, depending on the complexity of the case and whether the defendant contests class certification.
Can I file my own lawsuit against Cushman & Wakefield instead of joining the class action?
Yes. You can pursue an individual claim by consulting a class action lawsuit attorney who handles data privacy cases. However, individual data breach litigation is costly and time-consuming. For most people whose losses are limited to the risk of future phishing or identity theft, waiting for the class action typically produces a better outcome with no personal legal expense.
How will I know if the Cushman & Wakefield lawsuit settles?
If a settlement is reached and the court approves it, the settlement administrator will send notice to all class members, typically by email or postcard to the last known address on file. You can also monitor the official case docket on PACER at pacer.gov by searching for Milewski v. Cushman & Wakefield in the Southern District of New York.
Was my Social Security number or financial data exposed in this breach?
Based on what ShinyHunters published, the exposed data consisted primarily of business contact information — names, job titles, company addresses, phone numbers, and email addresses — rather than Social Security numbers or financial records. That said, Cushman & Wakefield has not publicly confirmed the full scope of what was accessed, and the investigation is ongoing.
What is vishing and how did it cause this breach?
Vishing is a voice phishing attack where criminals call employees and impersonate legitimate parties to trick them into handing over credentials or access. Cushman & Wakefield confirmed the attack was limited in scope and stemmed from this technique. Plaintiffs argue the company’s security training and protocols should have prevented an employee from being socially engineered in this way.
Sources & References
- Law360: Cushman & Wakefield Failed To Protect Clients’ Info, Suit Says, Isaac Monterose, May 11, 2026 — law360.com/articles/2475720
- The Register: Cushman & Wakefield confirms vishing cyberattack, May 5, 2026 — theregister.com
Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against Law360 court reporting, The Register’s confirmed company statement, and Have I Been Pwned’s official breach index. Last Updated: May 13, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah