Wooden gavel lying on dollar notes showing cyber attack on art auctions

Cyber Attack on Christie’s Shifted Bidding for $578 Million Worth of Art Auctions Offline

One of the world’s most prominent art auctions had its website taken offline due to a cyber attack, but the incident was not enough to actually stop scheduled auctions from going forward.

The cyber attack takes place during a very active week of high-profile art auctions, and though Christie’s is continuing with its planned schedule. The website was down entirely for several days, and as of this writing the landing page and auction browsing feature are restored but other aspects of the site remain offline.

Art auctions continue as Christie’s deals with cyber attack

While the cyber attack did not stop the scheduled art auctions, it did temporarily shift all bidding to in-person or by phone. Christie’s generally makes about half of its annual revenue during this busy week of the year, which features modern and contemporary pieces and attracts some of the world’s wealthiest art collectors. An estimated $578 million in art is up for bid over the course of the week, with some individual pieces valued as high as $20 million.

Those collectors now have concerns about the security of their financial data. The cyber attack appears to have begun on May 9, which is when the Christie’s web site first went offline. The site remained down and there was no communication with the public about the incident until May 12, when chief executive Guillaume Cerutti emailed clients to inform them of a “technology security issue” but to assure them that the art auctions would proceed as scheduled. Most of these did, minus the ability to bid online, but one particular auction of rare watches held by Formula 1 star Michael Schumacher was delayed for a day.

Concerns about stolen financial data are well-founded given that there are still virtually no details about the attack available a week after it began. The extended website downtime points to ransomware, which would further suggest the possibility of data extortion. But until Christie’s becomes more forthcoming about exactly what was impacted it is impossible to say what data from the art auctions was exposed and who might have it. Ransomware gangs that exfiltrate data generally negotiate with victims for a period of up to a few weeks, before either dumping it to the general public via the dark web or selling it privately to other cyber criminals. Making a payment does not necessarily guarantee long-term data security, however, as major ransomware gangs have been found sitting on stolen data they agreed to delete after seizure of their servers by law enforcement.

Christie’s has also had a prior data security incident within the last year. In August of 2023, security researchers disclosed an unsecured internet-facing server providing access to pictures of the collections uploaded ahead of art auctions and GPS data that could place the exact current location of the pieces (in about 10% of cases). It is unknown who might have accessed this data, but the security researchers discovered and reported the leak in July and did not see it remediated until several weeks later in August.

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, believes that the response thus far has thrown a major shadow on Christie’s reputation for security and could prove to be very damaging for the brand going forward: “The recent cyber attack on Christie’s, targeting their spring auction of high-value items, underscores a critical vulnerability we’re seeing across sectors, but most worryingly in those that deal with unique, high-value assets which can allow for large sums of money to be quickly and reliably laundered. This incident isn’t just about the temporary hiccup in auction schedules or the switch to traditional bidding methods. It’s a stark reminder of how digital transformation has expanded the attack surface for organizations of all sizes and sectors. What stands out here is the swift adaptation to adversity-setting up an alternative website for basic information and continuity of the auction process through phone and in-person bids. Such resilience is commendable and necessary in today’s threat landscape.”

However, it raises pivotal questions about the security measures surrounding high-profile events and the preparedness for sophisticated threats, especially for institutions like Christie’s that are stewards of invaluable cultural and historical artifacts. Their reliance on digital platforms, while enhancing accessibility and efficiency, also invites risks that must be mitigated with layered security measures, regular testing, and a dynamic incident response plan that goes beyond traditional perimeter defense. Moreover, while Christie’s asserts that their protocols are ‘regularly tested,’ this incident is a critical reminder for all organizations to not only test their defenses but also to simulate real-world attack scenarios to truly gauge their resilience. These tests shouldn’t just be conducted in isolation against IT systems, but should also test the people and procedures that they follow. Good security is no longer something that only the cyber team can achieve, but rather it needs a coordinated and concerted effort across all departments and colleagues to build a strong security culture,” added Malik.

Cyber attacks on fine art organizations remain relatively rare, but potentially damaging

Targeted cyber attacks on fine arts and culture by hackers remain relatively rare, but the incident with the Christie’s art auctions demonstrates the appeal: potential access to the payment information of some of the world’s wealthiest people, and potentially a roadmap to where some of the world’s most valuable pieces are being stored. While cyber criminals are unlikely to use the latter information to pull off a caper, they can certainly sell that information to other underworld parties that are interested in doing so.

While hackers are showing a preference for certain other industries, like health care and telecommunications, cyber attacks involving the arts are far from unheard of. In 2022, the Metropolitan Opera of New York was hit during its busiest season. That attack appears to have been retaliation for the organization taking a public position in support of Ukraine, but it also revealed that its box office was compromised and during its busiest days it takes in some $200,000 in ticket sales.

The arts are also subject to third party vendor attacks. This happened in late 2023, when a number of different American museums faced follow-on compromise after a software provider called Gallery Systems that serves their unique needs was breached. Similarly to the recent incident with Christie’s art auctions, some of these attacks crippled the ability to display exhibits online and caused temporary website outages.

Jamie Boote, Associate Principal Consultant, Synopsys Software Integrity Group, additionally notes that art auctions are not the first types of auctions to be targeted by profit-seeking hackers sniffing out lucrative exploits: “Anywhere there is money somewhere on the internet, attackers have been exploiting vulnerabilities to their benefit. This is far from the first auction related attack. There’s even a class of exploits known as “Ebay Attacks” where attackers used to exploit the 5-minute account lock-out to freeze out other bidders from raising the prices on goods they wanted to win. This was because Ebay used to list the account names of other bidders and all the attacker had to do was enter in the displayed user name and a wrong password 3-5 times in succession and that user wouldn’t be able to log in and bid. It’s important to remember that there’s a trio of security concerns in cybersecurity – Confidentiality, Integrity, and Availability – instead of just focusing on an attacker’s abilities to change system behaviour or steal secrets. In this case, availability could have a real-world impact on the prices of those auction items.”

“When speculating about why an attacker would want to do this, it’s possible that the attacker could be doing this for notoriety, or they could be seeking to lower the prices on certain lots by reducing visibility of those items. However, if that backfires, it could end up driving more attention to the Van Gogh or the lot of rare watches if the seller doesn’t feel that they were generating enough excitement,” added Boote.