Wire Fraud Scheme Exposes Personal Data at Pittsburgh Real Estate Firm

A targeted cyberattack against Garson Brothers Asset Management, LLC has compromised the personal information of 167 individuals, with the breach notification revealing the attackers' primary goal was business email compromise (BEC) for wire fraud rather than data theft.

The Pittsburgh-based property management company discovered suspicious email activity on May 1, 2025, and subsequently determined that an unauthorized actor had accessed employee email accounts containing sensitive personal information including names and Social Security numbers.

Timeline of Events

The incident unfolded over several months before affected individuals received notification:

• May 1, 2025: Garson Brothers detected unusual activity within its computer network and engaged cybersecurity experts
• May 19, 2025: Investigation determined unauthorized access to an employee email account occurred on this date
• September 12, 2025: Company completed collecting mailing addresses for affected individuals
• September 16, 2025: Notification letters sent to affected individuals via USPS First Class Mail
• September 23, 2025: Maine Attorney General notified of the incident

The nearly five-month gap between discovery and notification reflects the time required to conduct forensic analysis and review affected files—a timeline that, while legally compliant, raises questions about whether faster notification protocols could benefit breach victims.

Data Exposed

According to the notification filed with the Maine Attorney General, the compromised information includes:

• Full names
• Social Security numbers

The affected population includes current and former employees, contractors, and tenants associated with Garson Brothers' residential and commercial property portfolio. While only one Maine resident was affected, the total breach impacted 167 individuals across what is likely multiple states.

Attack Methodology: Business Email Compromise

The notification letter provides an unusual level of transparency regarding the attackers' motivations. Garson Brothers explicitly states: "It appears that the goal of the threat actor was to commit wire fraud using our email."

This admission points to a classic business email compromise (BEC) attack—a scheme where criminals gain access to legitimate business email accounts to redirect wire transfers or trick employees and partners into sending funds to attacker-controlled accounts. According to the FBI's Internet Crime Complaint Center, BEC schemes resulted in over $2.9 billion in losses in 2023 alone, making it one of the most financially damaging cybercrime categories.

The attack vector appears to have been email account compromise, though the notification does not specify whether this was achieved through:

• Credential phishing
• Password spraying
• Exploitation of unpatched vulnerabilities
• Social engineering

The incidental exposure of personal data—while serious for affected individuals—was likely collateral damage rather than the primary objective. Real estate and property management firms are frequent BEC targets due to the large wire transfers involved in property transactions.

Impact Analysis

For Affected Individuals

The exposure of Social Security numbers paired with names creates significant identity theft risk. Unlike credit card numbers that can be replaced, Social Security numbers are permanent identifiers that can be exploited for years after initial exposure. Affected individuals face potential risks including:

• Tax fraud through filing false returns
• New account fraud (credit cards, loans, utilities)
• Employment fraud
• Medical identity theft

Garson Brothers is offering 12 months of single-bureau credit monitoring through Kroll, which provides a basic level of protection but requires proactive enrollment by affected individuals.

For Garson Brothers

Beyond the direct costs of breach response—forensic investigation, legal counsel from Constangy Brooks Smith & Prophete, notification mailing, and credit monitoring services—the company faces reputational considerations. Property management firms handle sensitive tenant information as a matter of course, and demonstrated security failures can impact tenant and property owner relationships.

The company states it has "implemented additional security measures to further harden its environment," though specific improvements were not disclosed.

Regulatory Implications

The breach triggers notification requirements across multiple jurisdictions. Maine's data breach notification statute (Me. Rev. Stat. Tit. 10 §§ 1346-1350-B) requires notification to the Attorney General when Maine residents are affected, but similar requirements exist in most states where affected individuals reside.

For real estate and property management firms, this incident underscores several regulatory considerations:

State Privacy Laws: The patchwork of state breach notification laws means companies must track and comply with varying requirements across all states where they hold personal information.

Gramm-Leach-Bliley Act (GLBA): If Garson Brothers engages in financial activities related to property transactions, GLBA's Safeguards Rule may apply, requiring specific information security programs.

FTC Oversight: The FTC has increasingly pursued enforcement actions against companies with inadequate data security practices, particularly following breaches.

Lessons for the Financial Services and Real Estate Industry

BEC Remains a Critical Threat

This incident reinforces that business email compromise continues to be one of the most dangerous threats facing organizations that handle significant financial transactions. Real estate firms, mortgage lenders, and property managers should prioritize:

• Multi-factor authentication (MFA) on all email accounts—preferably phishing-resistant methods like hardware security keys
• Out-of-band verification for any wire transfer requests, using phone numbers obtained from sources other than the email requesting the transfer
• Email security gateways with advanced threat protection to detect credential phishing
• User awareness training focused specifically on BEC tactics

Data Minimization Matters

The presence of Social Security numbers in email accounts raises questions about data handling practices. Organizations should evaluate:

• Why sensitive PII exists in email systems rather than secured databases
• Whether employees need access to full Social Security numbers for their roles
• Automated data loss prevention (DLP) tools that can flag or block sensitive data in emails

Incident Response Planning

The timeline in this breach—while not unusual—highlights the value of having incident response plans with clear notification triggers. Organizations should establish:

• Pre-negotiated retainer agreements with forensic investigators and breach counsel
• Documented thresholds for when notification preparation should begin
• Processes for rapid address verification to minimize notification delays

Vendor and Tenant Communication

Property management firms maintain ongoing relationships with both property owners and tenants. Clear communication protocols for security incidents—beyond minimum legal requirements—can help preserve trust and demonstrate accountability.

Conclusion

The Garson Brothers breach represents a common but dangerous attack pattern: criminals seeking financial gain through business email compromise who incidentally expose personal data in the process. While 167 affected individuals is relatively small compared to mega-breaches affecting millions, the exposure of Social Security numbers creates lasting risk for each person involved.

For the broader real estate and property management industry—which handles substantial financial transactions and maintains sensitive personal information on employees, contractors, and tenants—this incident serves as a reminder that robust email security and data handling practices are not optional. The attackers in this case may have been focused on wire fraud, but the collateral damage to individuals whose data was exposed is very real.