In what appear to be the closing stages of the Christie’s data breach saga that started last month (May 2024) the hackers have begun auctioning off the stolen client data. However, according to cyber security analysts this should not be a cause for alarm, as the data stolen and now being released is of minimal threat to Christie’s clientele.

In a recap of events, just before the start of Christie’s New York’s spring auction, their website had gone down in what was called at the time a “technological security incident.” A simplified temporary website went up instead and the situation at the time was unclear.

However, the crisis had failed to put a damper on the spring auction as it went ahead to earn them a combined US$640 million across all its sales. Furthermore, 89% of all the lots put on auction either met or exceeded initial estimates. 

The temporary website that replaced the official Christie’s site during the hack. 10 days later the original website would return to operations.

Fast-forward to the 28th of May, just before the Hong Kong auction and the Russian-speaking hacker group RansomHub declared themselves responsible for the attack on Christie’s. In a public announcement they declared they held the personal data of around 500,000 of Christie’s clients and were threatening to release should the ransom not be paid.

This was largely due to Christie’s, allegedly according to the hacking group, not being cooperative in negotiations with the group. When asked for a statement, Christie’s stated:

"Earlier this month Christie’s experienced a technology security incident. We took swift action to protect our systems, including taking our website offline. Our investigations determined there was unauthorised access by a third party to parts of Christie’s network. They also determined that the group behind the incident took some limited amount of personal data relating to some of our clients. There is no evidence that any financial or transactional records were compromised.

Christie’s is currently notifying privacy regulators, government agencies as well as in the process of communicating shortly with affected clients."

The image and statement released by RansomHub threatening to release client data if their demands were not met along with accusing Christie’s of not cooperating with them

Important to note from the statement released by Christie’s is how they note that no financial and transnational data was stolen by hackers. Turns out this was indeed true as the data slowly being auctioned off by RansomHub has only included minimal info.

Names, ID numbers, and expiration dates on client’s driver's licenses and national ID cards seemed to have been exposed, along with some limited passport data, including passport numbers and place of birth. Importantly, however, the documents themselves were not released nor was the relevant contact data.

Following the unveiling of this by RansomHub the group announced, on the dark web, “Let us sell the data by auction… we abide by the rules of RansomHub and only sell once… Find something you like in the sample, then contact us.”

Cyber security at New Zealand-based data security company Emsisoft posted on X, formerly known as Twitter, that this is a last-ditch effort by RansomHub to squeeze any money they could from their hack of Christie’s. He further added that it was unlikely that anyone would be interested in purchasing this kind of data.

According to Callow, what would have concerned Christie’s and forced their hand in negotiations is if any of the data stolen would have led to the uncovering of the location of auctioned art and client financial data both of which could have allowed interested parties to commit identity fraud. However, no information of that calibre has been released pointing to the fact that RansomHub does not have it.

The hack failed to put a damper on Christie’s Hong Kong sales at the end of May as can be seen with the packed auction halls and overall success of the sale

Callow concluded his assessment of this situation by stating that this is an attempt to salvage what they can from their hack, especially when faced with the fact Christie’s knew that the group did not have any hacked data worth negotiating for in their hands.

While this saga may appear to be winding down, with a loss of face for RansomHub and a worst-case situation avoided by Christie’s, there are still a few final motions yet to occur in this drama. Firstly, there is the question of the EU. Under the General Data Protection Regulation (GDPR) Christie’s could be fined up to 20 million Euros or 4% of its annual income, if found to have security systems so poor that they are in effect partially culpable for the hack occurring.

There are also the longer-term reputational effects this could have not just on Christie’s but the security of client data entrusted to auction houses across the sector, as clients who previously enjoyed anonymity could be victims of data breaches.

This has generated a small industry based around art dealing security with companies such as ArtAML, and iDenfy offering anti-money laundering (AML) and identify verification or “know your client” services. Regardless of the outcome, the Christie’s hack may be a watershed moment in the art world as new security concerns and solutions will begin flooding the industry, and auction houses both public and private scramble to adapt.