Auction house Christie’s is currently notifying customers of a significant data breach after the RansomHub ransomware group threatened to leak the stolen sensitive personal information.
The extortion attempt follows an apparent ransomware attack that prevented the auction house from selling items worth an estimated $840 million.
Billionaire Pinault’s family owns Christie’s, a 250-year-old auction house that sells art, luxuries, and collectible items.
Notable collections auctioned by Christie’s over the years include Paul Allen’s $1.7-billion treasure trove, Leonardo da Vinci’s Salvator Mundi, which auctioned in 2017 for $450 million, and Yves Saint Laurent and Pierre Bergé, which sold for $370 million in 2009. In 2023, Christie’s reported approximately $6.2 billion in global sales.
Cyber attack disrupted auctions
However, the May cyber attack forced Christie’s to create a temporary website for the 20th & 21st Century Art auctions in New York, raising security concerns from interested buyers. Nevertheless, collectors could still place their bids, preventing the auction from becoming a total flop.
“Earlier this month Christie’s experienced a technology security incident,” Christie’s spokesperson said.
Christie’s said it responded by shutting down systems on May 9, 2024, which disrupted the art house’s website for ten days. The auction house also launched an investigation, which determined unauthorized network access and exfiltration of limited client data.
“Our investigations determined there was unauthorized access by a third party to parts of Christie’s network.”
Investigators also “determined that the group behind the incident took some limited amount of personal data relating to some of our clients,” the company stated.
Christie’s auction house data breach exposed 500,000 private clients
On May 27, 2024, the RansomHub ransomware group, which was behind Christie’s data breach, added the auction house to its Tor dark web extortion site and threatened to leak data unless a ransom was paid. The ransomware gang claims the data breach leaked 2GB of sensitive personal information belonging to 500,000 “private clients” worldwide.
Art auctions are usually shrouded in secrecy and involve some of the wealthiest collectors, making the stolen information invaluable for targeted phishing and extortion.
“High profile organizations such as Christie’s, which sells high value items upwards of £600 million, will always be on the radar or cyber attackers looking for a quick win with large financial gain,” said Darren Williams, CEO and Founder of Blackfog.
According to Venky Raju, Field CTO at ColorTokens, “the client list of a prestigious auction house like Christie’s becomes an ideal target” for cybercriminals focused on victims with “deeper pockets.”
According to screenshots RansomHub posted, the data breach leaked sensitive personal details, including the victims’ first and last names, identification document details, gender, and phenotype data such as height and race.
“The personal identity data came from identification documents, for example, passports and driving licenses, provided as part of client ID checks, which Christie’s is required to retain for compliance reasons,” Christie’s spokesperson said.
However, the auction house claims that customers’ phone numbers, email addresses, ID photographs, signatures, and financial or transactional records were compromised during the data breach.
Meanwhile, the RansomHub ransomware group has accused the auction house of abruptly ending ransom negotiations after it attempted “to come to a reasonable conclusion.”
Subsequently, RansomHub intends to punish Christie’s by causing the auction house to incur a hefty GDPR fine and suffer reputational damage when the stolen sensitive personal information leaks on the dark web.
“It is clear that if this information is posted they will incur heavy fines from GDPR as well as ruining [sic] their reputation with their clients and don’t [sic] care about their privacy,” the ransomware gang gloated.
Meanwhile, the auction house said it was notifying privacy regulators, law enforcement agencies, including the Federal Bureau of Investigation (FBI) and British Police, and the impacted victims.
Christie’s also advised customers to check their accounts for unusual activity and is offering complimentary identity theft protection and monitoring services to protect data breach victims from fraud.
Emerging in February 2024, RansomHub is a relatively new threat actor who gained notoriety after attempting to extort Change Healthcare shortly after the healthcare provider paid the ALPHV ransomware group $22 million in ransom.