Fulcrum Real Estate data breach exposes Social Security numbers

Fulcrum Real Estate Services Inc, a property management company based in Tacoma and Tumwater, Washington, disclosed a data breach that may have exposed Social Security numbers.

The breach was disclosed to the Massachusetts Office of Consumer Affairs and Business Regulation in a filing that identified two residents of the state as affected. Fulcrum Real Estate Services discovered the incident on March 9, 2026.

The incident was a ransomware attack that targeted the company's Egnyte platform, a cloud-based system used for storing and sharing files. According to the company's notification letter to consumers, suspicious activity was detected on the platform on or about March 9, 2026.

An investigation determined that certain files stored on the Egnyte platform may have been accessed or acquired without authorization on that same date. The company then conducted a comprehensive review of those files to determine whether any personal information was involved.

On or about May 5, 2026, the review confirmed that personal information belonging to certain individuals was contained in the potentially compromised data.

The personal information exposed in the breach included first and last names and Social Security numbers. Because the notification letter used variable fields to describe exposed data, the specific information involved may differ from person to person.

On April 29, 2026, a ransomware group known as INC RANSOM posted a claim on the Tor network, a part of the dark web often used by cybercriminals to publicize stolen data. The group claimed to have obtained two terabytes of data from Fulcrum Real Estate Services.

Fulcrum Real Estate Services' response

Upon discovering the incident, Fulcrum Real Estate Services took several steps to address the situation and protect affected individuals. The company engaged independent cybersecurity specialists to investigate the breach and determine the extent of the unauthorized access, according to its notification letter. It also implemented additional security measures designed to reduce the risk of a similar incident occurring in the future.

Fulcrum Real Estate Services notified the Federal Bureau of Investigation about the incident and stated it will cooperate with any resulting law enforcement investigation.

Because the breach involved Social Security numbers, a type of information that can be used to commit identity theft, the company is offering affected individuals complimentary identity protection services through IDX. The package of services includes credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy and fully managed identity theft recovery services.

To be eligible for credit monitoring specifically, individuals must be over 18 years old, have established credit in the United States, have a Social Security number in their name and have a U.S. residential address associated with their credit file.

Affected individuals can enroll in these identity protection services by calling 1-833-788-9712 or by visiting the IDX enrollment page. Each affected person received a unique enrollment code in their notification letter, which is required to sign up. The deadline to enroll is Aug. 29, 2026. Individuals with additional questions can contact Fulcrum Real Estate Services directly at 360-464-1031.