Infamous ransomware hackers RansomHub are threatening to release the data of 500,000 clients of auction house Christie’s. The group has claimed to have accessed the data of these clients including their names, nationalities, personal identification numbers, and other documents. The threat comes as the end of May deadline for the ransom to be paid looms.

It comes as an update to the unravelling saga of the cyberattack that hit Christie’s during its May New York sale, RansomHub, has shared to the internet sensitive data that they say belongs to Christie’s clients. When asked for a statement on the situation Christie’s stated:  

"Earlier this month Christie’s experienced a technology security incident. We took swift action to protect our systems, including taking our website offline. Our investigations determined there was unauthorised access by a third party to parts of Christie’s network. They also determined that the group behind the incident took some limited amount of personal data relating to some of our clients. There is no evidence that any financial or transactional records were compromised.

Christie’s is currently notifying privacy regulators, government agencies as well as in the process of communicating shortly with affected clients."

Earlier this month (May 2024) the hack had seemed to interrupt Christie’s major sale in New York, forcing them to shut down their main website and throwing both in-person and online operations into chaos.

However, the hack seemingly failed to damper the success of the six sales Christie’s held in New York with them earning a combined US$640m. Furthermore, 89% of their lots either met or exceeded expectations.

In a statement of their own RansomHub seemingly posted a sample of the hacked client’s data to prove that they did indeed have the data and were capable of releasing it as threatened. The statement comes as negotiations between Christie’s and RansomHub have allegedly broken down. The full statement is below:

"We attempted to come to a reasonable resolution with [Christie's] but they ceased communication midway through,' they said. 'It is clear that if this information is posted they will incur heavy fines from GDPR as well as ruining their reputation with their clients and don't care about their privacy."

With regards to the General Data Protection Regulation (GDPR), it’s a European Union law that all companies that operate within the EU need to comply with. The GDPR necessitates that companies need to design systems with the highest level of security and privacy in mind, failure to do so leading to a data breach could result in fines.

Knowing this Christie’s could be fined up to 20 million Euros or 4% of its annual income, whichever is higher. However, note that this would depend on whether EU regulators find Christie’s failing to meet the standards of the GDPR and to what degree they failed their obligations.

Brett Callow, a security analyst with New Zealand cybersecurity company Emisoft, was one of the first to tweet about the situation. He has stated that there’s no reason to doubt that Ransomhub is behind the attack, but whether or not they have the full range of data belonging to 500,000 clients is unverifiable.

Callow also interestingly stated that this group Ransomhub is somehow related to the Russian-speaking ransomware group Alphv/Blackcat. The group is responsible for the February hacking that devastated US company Change Healthcare, forcing them to allegedly pay a US$22 million ransom. More recently Alphv is allegedly responsible for the ransom hacking of Hong Kong’s Consumer Council.

As for RansomHub they also appear to be a Russian-style “ransom as a service” group as they work with various affiliates and claim to not attack Russian-affiliated countries including CIS member states, Cuba, China, and North Korea. Their “ransom as a service” business model means that affiliates pay RansomHub to attack a certain target and are given the technological means to do so by RansomHub for either a subscription fee or a cut of the extorted money.

Past targets of RansomHub have been quite varied and include corporations in the Americas, Middle East, Europe, and Australia. They also do not target any one specific industry, having hit businesses in finance, technology, and retail to name a few. In good news, Callow suggests that this geographically and sector-varied target list means that the art industry is not being specifically targeted. 

As the end of May deadline set by RansomHub nears it is uncertain how the next steps unfold. Callow states that Christie’s only options right now are to pay or not. Although, even if the auction house does pay there is no guarantee that the attackers will act in good faith and destroy the private client information in their possession.