A decade of cybersecurity incidents, but how much has changed

Cyber-attacks linked to commercial buildings are no longer rare events. Many executives in commercial property still assume the risks sit with the IT teams. But the past ten years show something different. Attacks now come through HVAC systems, access controls, smart sensors and the small devices we barely notice. This article sets out what has happened, what has changed and what still needs attention. Readers will get a clearer view of the cyber risks facing every type of commercial building, from multi-tenant offices and flex workspaces to shopping centres and science parks.

The breach of the US retail giant Target in 2013 remains a turning point. Attackers got into the retailer’s network by using credentials stolen from an HVAC subcontractor. They moved through the internal systems and placed malware on point-of-sale devices. Forty million payment cards were stolen. Sixty to seventy million customer records were taken. The cleanup cost about two hundred million dollars. Security teams have talked about this case for years because it revealed how routine building access can open a path into core business systems.

Another early warning came when researchers accessed the building management system in Google’s Sydney office. The system was exposed to the internet and held configuration files with administrator credentials. Control over HVAC and other building systems was possible. This case showed how easy it was to misuse building systems that had been installed with weak or default security.

Smart buildings have rapidly emerged over the past decade. Offices and retail sites have increasingly adopted connected lighting, sensors, access controls and energy systems. These devices expand the attack surface. Yet many were deployed with minimal oversight from cybersecurity teams. In most organisations, the building systems were managed by facilities teams and third‑party vendors. Many vendors were not trained in cybersecurity and did not follow secure procurement or installation processes.

One well-known example involved a casino where attackers compromised a smart thermometer inside a fish tank. They used it to get onto the network. They reached a database containing high-value customer information and then moved the data out through the same device. The attack showed how a small and simple device could be misused in a large organisation.

Recent incidents have demonstrated how attackers can disrupt a building’s infrastructure. A series of attacks on European office buildings in 2021 locked managers out of their own automation systems. Lighting, shutters and motion controls stopped working. At the same time, a hotel in Germany had its electronic door systems disabled by ransomware. Staff had to issue physical keys while they restored systems. These cases underline the direct impact on building operations and the people who use them.

Researchers and law enforcement officials have raised concerns about significant vulnerabilities in building management systems. Many of these systems operate on outdated Windows versions that no longer receive support, and they often utilise unencrypted traffic. Such vulnerabilities have been associated with multiple ransomware attacks targeting commercial buildings and data centres.

Organisations have improved their awareness of cybersecurity, and boards are taking it more seriously. Many have invested in detection tools for their IT networks. However, building systems often remain unaddressed by these advancements. Building networks are rarely monitored, and many multi-tenant sites still operate with flat networks where IT systems and building systems are not securely segregated. Moreover, third-party vendors often retain remote access with insufficient controls. The core issues that made the Target case so significant persist in 2026.

Commercial property owners and manager agents now sit at the centre of this shift. Buildings act as the entry point for attackers. They enable lateral movement from simple devices to critical systems. The commercial real estate sector holds the responsibility to manage these risks. Stronger procurement rules, basic segmentation, monitored building networks, and clearer oversight are essential. When buildings become connected, the cyber risk becomes part of daily operations.

Property leaders can set the right direction. They do not need deep technical knowledge. They do need to ensure that building systems are not left out of cybersecurity planning.

Building systems now play a significant role in cyber incidents. Over the past ten years, there has been a consistent increase in attacks that use commercial buildings as a means to facilitate these incidents. The property sector can mitigate this risk by taking practical steps and ensuring proper oversight. It’s important to consult with your security teams, review your facilities, and update your building system policies accordingly.

Get in touch to discuss your site’s needs.

References

Google Sydney BMS exposure reporting, Cylance research, 2013
Target HVAC subcontractor breach, KrebsonSecurity, 2014
Criminals Hacked A Fish Tank To Steal Data From A Casino, Forbes, 2017
European BAS lockout cases, DarkReading, 2021
Hotel Guests Locked Out of Rooms After Ransomware Attack, Infosecurity Magazine, 2021
Ransomware trends affecting BMS, Claroty and IndustrialCyber research, 2023 to 2025