Auction house Sotheby’s has disclosed a data breach that leaked the sensitive information of an undisclosed number of people.
According to a cyber incident notice filed with the Office of the Maine Attorney General, the data breach occurred on July 24, 2025, and was discovered on September 24, 2025.
Sotheby’s responded by launching an investigation involving third-party cyber forensics to determine the nature of the stolen information and to whom it belongs.
“We immediately began an investigation which included an extensive review of the data to determine and validate what information was involved and to whom such information relates,” it stated.
Sotheby’s data breach leaked sensitive personal information
Sotheby’s concluded its investigation on or around September 24, 2025, and found that the data breach had leaked the victims’ full names, Social Security numbers (SSNs), and financial account information.
While Sotheby’s has no evidence that the stolen information had been misused, impacted individuals are at an increased risk of identity theft and fraud. Subsequently, the auction house is offering 12 months of complimentary credit monitoring services via TransUnion.
Sotheby’s also advised victims to remain vigilant for suspicious activity and report it to their banks and relevant authorities. They can also request free reports from major credit bureaus once a year and place credit freezes to prevent threat actors from opening new credit lines using the stolen details.
“We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your account statements and monitoring your free credit reports for suspicious activity and to detect errors,” Sotheby’s advised impacted individuals.
Sotheby’s has also reported the data breach to relevant authorities, notified impacted individuals, and implemented additional cyber defenses to prevent a similar data breach in the future.
“We have administrative and technical safeguards in place that protect information through layered defenses, strict access controls, secure connections, and advanced threat protections,” the company said.
It also promised to continue reviewing its cybersecurity safeguards to ensure the safety of its information systems as part of its “ongoing commitment to the privacy of information.”
While two Maine residents are confirmed victims, the auction house has not disclosed the total number of victims or the identity of the threat actor. Similarly, no cybercrime group has claimed responsibility for Sotheby’s data breach at the time of publication.
Past data breaches on the auction house
Meanwhile, Sotheby’s has experienced other data breaches in the past that leaked personal and payment information. Between 2017 and 2021, Sotheby’s experienced recurring Magecart infections that leaked customer names, addresses, email addresses, payment card numbers, CVVs, and expiry dates.
On May 9, 2024, the 250-year-old auction house Christie’s also shut down its systems after experiencing a data breach that leaked 2GB of personal information belonging to 500,000 private clients.
The cyber attack almost prevented the auction house from selling artwork worth an estimated $840 million. Cyber extortion gang RansomHub claimed responsibility for the Christie’s cyber attack and accused the auction house of refusing to negotiate.
Auction houses are lucrative targets for cybercriminals because they usually contain the personal and financial information of high-net-worth individuals, including private clients who wish to remain anonymous.
