Victim of a cyberattack, Christie's website went offline on Friday, May 10.
The auction house says clients’ passport or driving licence details had been compromised but stressed that “no financial or transactional records were taken”.
Christie’s was the victim of a ‘technology security incident’ that took its website offline from May 9 to May 20. The attack appeared to have been timed to maximise disruption as the auction house prepared for its flagship Modern and Contemporary art auctions in New York (May 14-18).
On May 27 a hacker group named Ransom Hub claimed responsibility, saying it had personal information belonging to 500,000 of Christie’s clients and would be selling it to the highest bidder if a ransom was not paid.
A May 30 email from Christie’s CEO Guillaume Cerutti to those who might be impacted confirmed that “a third party had downloaded certain client data from Christie’s internal client verification system”. The memo said the hackers now had access to passport details (name, gender, passport number, expiry date, date of birth, birthplace and machine-readable codes) but it did not have bank account details, photographs, signatures, contact details or information relating to property bought or sold at Christie’s. Clients without an email were being sent a letter to similar effect.
As it continues to monitor the fall-out, Christie’s is urging clients to be vigilant and is offering them 12 months of identity theft protection and monitoring services at no cost through specialist firm Cyberscoutto.
Despite this, a class action suit has been brought against the company in the Southern District of New York. The June 3 complaint (with a single plaintiff, a Dallas-based client) says the breach was “a direct result of [Christie’s] failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect consumers”.
