While the whole saga of RansomHub seems to be winding down, there are still unanswered questions regarding Christie’s cybersecurity scandal. For Christie's, the worst-case scenario has seemingly been avoided with RansomHub failing to steal data of much value, however, things have moved to the legal realm.
This update comes as Hong Kong’s Privacy Commissioner for Personal Data (PCDP) confirmed that around 8,400 of Christie’s Hong Kong clients were affected by the breach. The PCDP reaffirms that no financial or transnational data had been stolen by RansomHub, and the affected clients will be informed.
The PCDP adds that Christie’s informed them of this on June 3rd, 2024, nearly a month after Christie’s was hacked in May. This in turn may impact the investigation the PCDP is carrying out regarding whether Christie's acted appropriately during the cyberattack, and in line with data protection legislation.
This legal complication is only furthered by the fact that in New York a Christie's client has begun a class-action lawsuit against Christie's, for what the plaintiff claims is a failure by Christie's to protect the "personal identifiable information" of its clients.
Regarding the PCDP development, Christie’s stated that they had contacted the relevant authorities both regulatory and legal, including those in Hong Kong. The Value was further informed that Christie’s could not comment on any ongoing formal court affairs. Christie’s official statement is attached below:
“Since the cyber security incident occurred, we have been actively monitoring online activity for any mention of Christie’s or our data. As a result, we are aware that a cyber group has made a statement, as yet unverified, claiming that data taken from a limited part of our systems has been sold. We continue to have no evidence that financial or transactional records or copies of documents, signatures or photographs were taken. We have already notified those clients whose personal identity information was taken. We continue to comply with GDPR and other relevant national and state regulations.
We would like to thank our clients for their continuing trust and support during this challenging time and, again, we express our regret for any inconvenience caused.”
As the data breach moves more towards the legal stage it should be expected that Christie's, regulators, and individual clients will be more hushed about the matter as it enters courts. When asked for a comment, California’s Privacy Protection Agency (CPPA) responded that they as well could not comment on any ongoing investigation, a tone most likely to be seen in regulators globally.
While it's uncertain how these various regulators will carry out their investigations and fines, past cases can give us some idea of what could occur. In 2021 Luxembourg and Ireland fined Amazon and Facebook, respectively, for not being in line with EU privacy laws, both for several hundred million each.
One of the larger data breaches was the 2017 Equifax Data breach in the United States. It resulted in the data of around 150 million customers being stolen, and American Federal and State authorities penalizing the credit agency. The firm paid a total of US$700 million which was divided across various governmental offices and individuals.
A map of where Christie’s operates/has offices or representatives
This raises several questions as previous breaches were generally localized to one specific country, whereas Christie’s data breach hit clients across the world. Christie’s operates offices and representatives in 31 national jurisdictions so it is unclear how fines will be levied.
The other criteria that could impact the fine Christie’s incurs include the number of clients affected, Christie's initial response, and the nature of their security system before being hacked. Christie’s might even get off relatively light given the data that was stolen was of low value in comparison to other data breaches.
Thurgood Marshall United States Courthouse home of the Southern District of New York Federal court where the lawsuit against Christie's has been filed
One of the less opaque legal moves these last few days has been the filing of a class-action lawsuit against Christie's by an American citizen Efstathios Maroulis. Mr. Maroulis, who states that the auction house's poor security systems directly led to the loss of client data and personal damages and injuries to affected persons, has filed the suit with a federal court in New York.
The suit states that the data breach resulted in "concrete injuries" to clients who had to mitigate the issues caused by the data breach. These alleged injuries include invasion of privacy, loss of time, and opportunity cost. The suit also states that there are long-term implications of identity theft and fraud that could occur if the data is purchased from RansomHub.
The case was filed on June 3rd, with Judge Jesse M. Furman ordering lawyers representing the plaintiff and Christie's to appear for pre-trial meetings in September. Christie's has also taken steps to further secure client data by seeking support from external cybersecurity experts, as well as offering free 12-month subscriptions to CyEx an identity protection service for impacted clients.
Overall, it is impossible to say with any real certainty what fate will befall Christie’s. The scope and opaqueness of government investigations and courts make it hard to gauge, and it may take months if not years to complete and issue fines. Regardless, this may be a wake-up call to auction houses globally that in this digital age, older industries must not fall behind new laws and security systems.