Ransomware Attack on Christie’s: A Wake-Up Call for Art World Cybersecurity?

June 24, 2024

By Rachel Sundar

On May 27th, 2024, the cyber-extortionist group RansomHub, notorious for their recent attack on Change Healthcare, published a statement on the dark web, taking responsibility for a cyber assault on Christie’s, one of the world’s largest auction houses, with key locations in cities such as New York, London, Paris, Hong Kong, and Dubai.^[1] The ransomware attack on Christie’s underscores the vulnerability of digital systems in the art world. As institutions such as auction houses, galleries, and even art databases increasingly rely on digital infrastructures, implementing robust cybersecurity measures and prioritising data protection become paramount in safeguarding sensitive information and maintaining the trust of clientele. Ransomware is a form of malicious software designed to extract data and restrict access to a computer system until a payment is made.^[2] In this case, RansomHub was able to breach Christie’s digital security system, encrypt sensitive files and hold them for ransom.^[3] In doing so, it forced the auction house to shut down its website during the entirety of the crucial sales week of New York’s marquee auction events, causing significant disruptions to the company’s operations.^[4] Not only does Christie’s website serve as a vital tool for pre-auction arrangements––facilitating bidder registration, catalogue browsing, and pre-sale inquiries––but in a post-pandemic world, it has also become indispensable to the auctions themselves.^[5] In the past few years, online bidding has emerged as the preferred method of participation for both local and international buyers, ensuring broader market reach and heightened bidding activity. According to Christie’s CEO Guillaume Cerutti in a statement to Vanity Fair, “80% of all bids across sales at the house last year were placed online, up from 45% in 2019.”^[6]

Despite the security breach, Christie’s chose not to make an immediate public statement addressing the ransomware attack in an attempt to protect and prioritise upcoming sales.^[7] Instead, the auction house referred to the incident as a “technology security issue,” proceeding with all six scheduled 20th/21st Century Art live auctions, achieving the highest total sales of any auction house for the week.^[8] This success was largely attributable to “Christie’s Live,” a digital platform for remote bidding, which remained accessible during the incident and allowed registered bidders to participate online.^[9] In addition, online catalogues were made available in PDF format on a temporary holding site, providing further convenience and accessibility for potential buyers.^[10] Besides online bidding, clients turned to in-person and phone bidding throughout the week.^[11] The auctions in question––highlighted by the 20th Century Evening Sale, the 21st Century Evening Sale, and The Rosa de la Cruz Collection Evening Sale––achieved a leading market performance, with a combined total of $640,219,290.^[12] While these sales results may suggest a sense of reassurance among clients, the long-term repercussions of the incident on future sales remain uncertain, particularly in light of the recent claims made by RansomHub.

In a post on the dark web on Monday, May 27th, RansomHub claimed to have accessed data on “at least 500,000” Christie’s customers from “all over the world,” including full names, document numbers, nationalities, and birth dates.^[13] The hackers have since threatened to release this sensitive data by the end of May, unless Christie’s complies with their ransom demand.^[14]Although these claims have not yet been verified, “several cybersecurity experts have said RansomHub was a known ransomware operation and that the claim was plausible”.^[15] Should RansomHub’s claims prove accurate, the incident may potentially result in far more profound consequences than initially anticipated by Christie’s clientele. In an interview with the New York Times, Brett Callow, a threat analyst at the New Zealand-based cybersecurity firm, Emsisoft, stated that while many types of cyberattacks can often be recovered from relatively swiftly, ransomware stands as a notable exception.^[16]

In a statement released on May 26th, Edward Lewine, a spokesperson for Christie’s, addressed the situation more comprehensively, stating that an internal investigation had confirmed that there had been “unauthorised access by a third party to parts of Christie’s network,”^[17] and that “the group behind the incident took some limited amount of personal data relating to some of our clients,”^[18] but that “there was no evidence that any financial or transactional records were compromised.”^[19]

The auction house has since taken several steps to enhance its cyber-security, including notifying the relevant law enforcement authorities of the incident, such as the FBI and the British police, as well as maintaining communication with clients whose data had been compromised.^[20] While the full extent of the stolen data is unclear, this cyberattack highlights the heightened vulnerability of auction houses in a digitised era. Since its foundation in 1766, the world-leading auction house has cultivated a reputation for excellence in the art world, hosting auctions for coveted masterpieces and boasting record-breaking sales. Given the nature of these high-value transactions, the security and confidentiality of their digital infrastructure are paramount. The ramifications of such a breach are far-reaching, endangering not only the privacy and security of individual clients but also undermining a fundamental tenet of the auction industry itself: the imperative of discretion.

Beyond raising concerns about cybersecurity and client confidentiality, this breach has also led to legal repercussions for the auction house, further underscoring the severity of the situation. A class-action lawsuit was filed in the Southern District of New York on June 3rd.^[21] The complaint alleges that the personal information of over 500,000 current and former buyers was left vulnerable due to the company’s failure to implement adequate cybersecurity measures.^[22] The exposed data allegedly includes full names, passport numbers, and other sensitive details from passport scans, which, if verified, would leave affected individuals at risk for identity theft and fraud.^[23] A pre-trial conference for the case has been scheduled for September 10th.^[24] This lawsuit highlights the potential legal and financial fallout that even the most established institutions may be exposed to in the wake of such cybersecurity incidents. Despite its scale and prominence, Christie’s has not been able to avoid this risk. Nonetheless, as a larger institution, it is likely to possess the resources and expertise necessary to address the breach and reinforce its cybersecurity infrastructure. However, the incident also raises broader concerns about the preparedness of smaller auction houses and players in the art market, such as galleries, that may lack the same capabilities to defend against cyber attacks.

Sources:

1. Zachary Small, Ransomware Group Claims Responsibility for Christie’s Hack, N. Y. Times (May 27, 2024), https://www.nytimes.com/2024/05/27/arts/design/hackers-claim-christies-attack.html. ↑
2. Info. Comm’r’s Off., Ransomware and Data Protection Compliance, ico., https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/ransomware-and-data-protection-compliance/, (last visited June 20, 2024). ↑
3. Small, supra note 1. ↑
4. Brian Boucher, Ransomware Gang Threatens to Leak Data on Christie’s Clients After Major Hack, Artnet (May 27, 2024), https://news.artnet.com/art-world/ransomhub-christies-hack-2493192. ↑
5. Place Bids from Anywhere in the World, Christie’s, https://www.christies.com/en/stories/place-bids-from-anywhere-in-the-world-4bfd8c5eb92a4cf1b74b34cfb9f5eb2c (last visited June 20, 2024). ↑
6. Nate Freeman, Selling Through the Christie’s Cyberattack, Vanity Fair (May 16, 2024), https://www.vanityfair.com/style/story/christies-sale-hack. ↑
7. Zachary Small, Ransomware Group Claims Responsibility for Christie’s Hack, N. Y. Times (May 27, 2024), https://www.nytimes.com/2024/05/27/arts/design/hackers-claim-christies-attack.html. ↑
8. Daniel Cassady, Hacker Outfit RansomHub Claims Credit for Christie’s Auction Week ‘Technology Security Issue’, Artnews (May 27, 2024, 7:39 PM), https://www.artnews.com/art-news/news/ransomhub-hack-christies-website-1234707976/. ↑
9. Christie’s, supra note 4. ↑
10. Zachary Small, Hobbled by Cyberattack, Christie’s Says Marquee Sales Will Proceed, N. Y. Times, https://www.nytimes.com/2024/05/12/arts/design/christies-cyberattack.html (May 14, 2024). ↑
11. Id. ↑
12. Achieving $640 Million and Counting, Christie’s 20th/21st Century Art Sales Lead the Market, Christie’s (May 20, 2024), https://www.christies.com/en/stories/20-21-may-2024-marquee-week-sale-results-b4efc2671a484b7f91571852025eaa8b. ↑
13. Kabir Jhala, Hackers Claim Responsibility for Christie’s Cyberattack and Threaten to Release Client Data, Art Newspaper (May 28, 2024), https://www.theartnewspaper.com/2024/05/28/hackers-claim-christies-cyberattack-and-threaten-to-release-client-data. ↑
14. Id. ↑
15. Small, supra note 1. ↑
16. Id. ↑
17. Id. ↑
18. Id. ↑
19. Id. ↑
20. Zachary Small, After Hack, Christie’s Gives Details of Compromised Client Data, N. Y. Times (May 30, 2024), https://www.nytimes.com/2024/05/30/arts/design/christies-hack-client-data.html. ↑
21. Karen Ho, Christie’s Hit With Class-Action Lawsuit Over Client Data After Cyberattack Shuts Down Website, Artnews (June 7, 2024, 5:25 PM), https://www.artnews.com/art-news/news/christies-class-action-lawsuit-client-data-cyberattack-ransomhub-1234708936/. ↑
22. Id. ↑
23. Id. ↑
24. Id. ↑

 

About the Author:

Rachel Sundar, a postgraduate fellow at the Center for Art Law, recently graduated from Sciences Po Paris Law School, where she majored in Economic Law, specialising in Innovation Law. Her primary interest lies in exploring the effects of digital creation and artificial intelligence on the art world, with a particular focus on issues of authorship and copyright protection.