Christie’s wealthy clients’ list being hacked: over 500.000 names with sensitive personal data How about Credit Cards?

Today’s Global Top Art News.

It appears that Ransomware Gang is in possession of Christie’s client data and have a countdown, for early June, to releasing it to the public on their website.

500.000 wealthy, art industry related, people around the world are actually getting nervous. If the data about credit cards had been stolen, too, remains in limbo.

Ransomware Gang has claimed responsibility for the cyberattack earlier this month, that Christie’s once described as a “technology security incident.” For the first time, the company now admits in the New York Times, that some data was compromised.

In a statement, Christie’s spokesperson Edward Lewine said “our investigations determined there was unauthorized access by a third party to parts of Christie’s network,” adding that the hacker group gained “some limited amount of personal data” on certain clients, but that it had no evidence of “financial or transactional records” being compromised.

Up-date 2024/5/30

Art World, Take Heed: The Christie’s Hack Was a Warning

quotes:

“When it comes to data breaches and hacks, auction houses and galleries are no different from, say, financial institutions or car companies,” art market lawyer Thomas C. Danziger told ARTnews via email. “To a savvy hacker, the Monet consignor’s personal data may be worth as much as his bank PIN code.”
—
Now that even semi-sophisticated cybercriminals can purchase ransomware at the touch of a button or employ a chatbot to write a compelling scam email, shoring up cybersecurity has never been more important.

While not intending to alarm, Arnold said that the reality is, it’s never been simpler to stage a cyberattack. “And it seems, with the advent of things like automation and AI, it’s only getting easier.”

full text:
https://www.artnews.com/art-news/market/art-world-christies-ransomhub-hack-1234708090

For Christie’s customers, today’s notice

5th of June, 2024 up-date:

Brett Callow @BrettCallow
11:11 PM · May 30, 2024. 2,553 Views
#RansomHub claims it is selling Christie’s data by auction. It’s extremely unlikely that anybody would want to buy the information, and this is simply a Hail Mary effort to squeeze some money from Christie’s. #christies #ransomware 1/2
Link_https://twitter.com/BrettCallow/status/1796288383700058296

Also, the criminals will now be able to claim the info was sold rather than having to lose face by admitting they were unable to monetize a very high profile attack. 2/2
Link_https://twitter.com/BrettCallow/status/1796288385100997037

Hackers Are Now Offering Christie’s Client Data for Auction
May 31, 2024

quotes:
Christie’s sent clients a letter on the morning of May 30, detailing the client information that was compromised in the hack. It has also notified the Federal Bureau of Investigation and the British police about the attack. According to a statement from a Christie’s spokesperson, the hackers accessed client names and, for some, other personal identity information.

“There is no evidence that any financial or transactional records were taken, for any clients,” said the house. “The personal identity data came from identification documents, for example passports and driving licenses, provided as part of client ID checks, which Christie’s is required to retain for compliance reasons. No ID photographs, signatures, email addresses or phone numbers were taken.”

The data from some clients’ passports included full name, gender, passport number, expiry date, and date and place of birth. From other IDs, such as drivers’ licenses or national identity cards, all data shown on the front of the cards was compromised, including name, date of birth, country, and document number.

What was not exposed was copies of the documents or contact information (if not listed on the document).

〜〜〜〜

“What could have concerned Christie’s, and interested potential buyers, is the location of particular artworks or any financial information that would assist with committing identity-related fraud,” Callow said in a phone conversation.

full text:
https://news.artnet.com/art-world/christies-reveals-hacked-data-ransomhub-offers-auction-2495356

CHRISTIE’S LAWSUIT. Christie’s has been slapped with a class action complaint for negligence in failing to protect the personal information of clients stolen by cyber-extortionists in a historic hack of the company’s website in May. The lead plaintiff is listed as Dallas-based Efstathios Maroulis in the complaint filed in the Southern District of New York on June 3, reports The Art Newspaper . Allegations include Christie’s exposure of consumers’ “personally identifiable information” (PII), breach of implied contract, unjust enrichment, and violation of the New York deceptive trade practices act. The complaint also takes issue with the auction house’s opacity and “no real disclosure” of the extent of the hack and threat to concerned clients, while failing to follow up properly with those impacted in order to limit any further, resulting harm. Christie’s has said that no transactional information was stolen by RansomHub , the cyber-hackers who claimed responsibility for the attack, and unsuccessfully demanded a ransom in exchange for personal date pertaining to some 500,000 Christie’s clients. The gang later threatened to auction the data to willing buyers, though the outcome of the threat remains unclear. The lawsuit also demands Christie’s take new actions to secure data, and pay damages for harm from varied identity-related threats, which clients are allegedly facing.

Law & Politics

June 4, 2024

Christie’s Hit With a Class Action Lawsuit Weeks After Its Data Was Hacked
The lawsuit is alleging the auction house failed to “properly secure and safeguard sensitive information of its customers.”

Just a few weeks after its website was taken over by hackers in a major cyberattack as auction season was kicking into high gear, Christie’s is now the target of a class action suit alleging negligence, breach of implied contract, unjust enrichment, and violation of the New York deceptive trade practices act.

The lead plaintiff on the suit, which was filed June 3 in U.S. District Court for the Southern District of New York, is listed as Efstathios Maroulis, of Dallas, Texas. As The Art Newspaper noted, a person with the same name, based in Dallas, has the title of vice president and general manager of dental analytics and patient experience at a firm identified as Henry Schein One. Maroulis could not immediately be reached for comment.

Attorneys for Maroulis and the other plaintiffs are based in Long Island, New York, Washington, D.C., and Dallas, and did not immediately respond to a request for comment.

According to the complaint, Christie’s failed to “properly secure and safeguard sensitive information of its customers.” The plaintiffs said they entrusted their personal information to the auction house “on the mutual understanding that defendant would protect it against disclosure,” only to have it “targeted, compromised, and unlawfully accessed due to the data breach.”

The personal information compromised in the breach included the plaintiffs’ “full names, genders, passport numbers, expiration dates, dates of birth, birth places, MRZs, countries, and document numbers,” according to the complaint. MRZ refers to the “machine readable zone” in a passport that encloses the document holder’s personal data.

The complaint alleged that the information compromised in the data breach was “exfiltrated by cyber-criminals and remains in the hands of those cyber-criminals who target” the information for its value to identity thieves. As a result of the breach, the complaint alleged, roughly 500,000 class action members have been exposed to invasion of privacy, theft of information, and lost time and opportunity costs connected to attempting to mitigate the potential consequences of the breach.

RansomHub, a ransomware gang, has claimed responsibility for the hack. In a post on May 27, it threatened to leak the auction house’s client data unless a ransom was paid in a week. As the deadline neared, the hacker group put the data up for auction and has since claimed to have sold the data.

The 56-page complaint goes into extensive detail about Christie’s responsibilities and failure to protect the personal data, and the ongoing vulnerability that clients have going forward, specifically a “heightened and imminent risk of fraud and identity theft.”

Asked for comment, a Christie’s spokesperson said via email: “Since the cyber security incident occurred, we have been actively monitoring online activity for any mention of Christie’s or our data. As a result, we are aware that a cyber group has made a statement, as yet unverified, claiming that data taken from a limited part of our systems has been sold. We continue to have no evidence that financial or transactional records or copies of documents, signatures or photographs were taken. We have already notified those clients whose personal identity information was taken. We continue to comply with GDPR [General Protection Data Regulation] and other relevant national and state regulations.”

Christie’s declined to comment on the RansomHub’s bid to sell its data.

Its statement continued: “We would like to thank our clients for their continuing trust and support during this challenging time and, again, we express our regret for any inconvenience caused.”

https://news.artnet.com/art-world/christies-hack-class-action-lawsuit-2496847

Up-date 2024/6/6

Guillaume Cerutti
Chief Executive Officer via e-Mail:

I would like to provide you with an update on each of these items.

Christie’s experienced a cyber security incident in early May. However, we responded quickly and were able to limit the impact. I would once again like to express our sincere apologies for any inconvenience caused by this incident.

Our investigation has shown that the group behind the infringement took a limited amount of personal data relating to some of our clients. No ID photos nor signatures were exposed, and that there is no evidence that any financial or transactional records have been compromised.

On Thursday 30 May, we sent a personalised email to each affected client who has an email account with us. A letter will be sent to any affected client who does not have an email address on our system. In addition, we are offering these clients Identity Monitoring Services at no cost for one year. Our teams around the world remain available should you require further information.

(end of up-date)