A hacker group called RansomHub said it was behind the cyberattack that hit the Christie’s website just days before its marquee spring sales began, forcing the auction house to resort to alternatives to online bidding.
In a post on the dark web on Monday, the group claimed that it had gained access to sensitive information about the world’s wealthiest art collectors, posting only a few examples of names and birthdays. It was not immediately possible to verify RansomHub’s claims, but several cybersecurity experts said they were a known ransomware operation and that the claim was plausible. Nor was it clear if the hackers had gained access to more sensitive information, including financial data and client addresses. The group said it would release the data, posting a countdown timer that would reach zero by the end of May.
At Christie’s, a spokesman said in a statement, “Our investigations determined there was unauthorized access by a third party to parts of Christie’s network.” The spokesman, Edward Lewine, said that the investigations “also determined that the group behind the incident took some limited amount of personal data relating to some of our clients.” He added, “There is no evidence that any financial or transactional records were compromised.”
Hackers said that Christie’s failed to pay a ransom when one was demanded.
“We attempted to come to a reasonable resolution with them but they ceased communication midway through,” the hackers wrote in their dark web post, which was reviewed by a New York Times reporter. “It is clear that if this information is posted they will incur heavy fines from GDPR as well as ruining their reputation with their clients.”
GDPR, the General Data Protection Regulation, is an information privacy law in the European Union that requires companies to disclose when cyberattacks might have compromised the sensitive data of clients. Noncompliance with the law includes potential fines on companies that can rise to more than $20 million.
Cybersecurity experts said that RansomHub has emerged in recent months as an especially powerful ransomware group with possible connections to ALPHV, a network of Russian-speaking extortionists blamed for a cyberattack on Change Healthcare earlier this year. Hackers in that case appeared to receive a $22 million payment from the company’s owner, UnitedHealth Group, though United never admitted to sending the money. In April, RansomHub listed Change Healthcare as one of its victims and claimed to be holding onto four terabytes of stolen data.
“We know that Christie’s had an incident and a known ransomware operation has now claimed responsibility,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. “There is no real reason to doubt the claims.”
Ahead of its major spring sales, Christie’s had largely downplayed the reach of the cyberattack, which hobbled its website earlier this month. Many clients only learned about the hack from a New York Times reporter, and the company preferred to describe the hack as a “technology security incident.” The strategy appeared successful and the auction results — while tepid — showed little indication that buyers and sellers were more conservative with their bids as a result.
But inside the auction house, employees said there was a panic with little information being shared with rank-and-file staff. Following the end of the spring sales season, which made $528 million, the company regained control of its website.
Lewine said “Christie’s is currently notifying privacy regulators, government agencies,” and will be “communicating shortly with affected clients.”
