Auction house Christie’s confirms criminals stole some client data

Centuries-old institution dodges questions on how it happened as ransomware gang claims credit

International auctioning giant Christie's has confirmed data was stolen during an online attack after a top-three ransomware group claimed credit.

A reclining Henry Moore sculpture in the atrium of Christie's main headquarters at Rockefeller Plaza in New York.

A reclining Henry Moore sculpture in the atrium of Christie's main headquarters at Rockefeller Plaza in New York Pic: Leonard Zhukovsky/Shutterstock

The revelation follows an incident from earlier in May that forced the auction house's online bidding system offline, an event which the company said at the time was due to a "technology security issue."

It also closely follows the RansomHub gang yesterday taking to its leak blog to claim it had broken into Christie's. Along with the post on Monday, the crims included what they claim is a sample of the data they stole. The gang said there was a seven-day deadline for the victim to pay the ransom.

A Christie's spokesperson told El Reg: "Earlier this month Christie's experienced a technology security incident. We took swift action to protect our systems, including taking our website offline.

"Our investigations determined there was unauthorized access by a third party to parts of Christie's network. They also determined that the group behind the incident took some limited amount of personal data relating to some of our clients. There is no evidence that any financial or transactional records were compromised.

"Christie's is currently notifying privacy regulators, government agencies as well as in the process of communicating shortly with affected clients."

RansomHub's actions thus far represent typical double extortion behavior. Ransomware gangs will often keep incidents quiet while they try to negotiate a ransom payment with a victim, and then leak a small amount of data online when negotiations start stalling.

Christie's declined to comment on a number of the claims made by RansomHub in the post it made to its website. 

As ever with such claims, they always have to be taken with a pinch of salt, given that they're coming from criminals. RansomHub claimed it was able to extract personal data belonging to "at least 500,000" Christie's clients, including full names, addresses, the machine-readable zones of identity documents, heights, races, sexes, and more.

The gang also claimed Christie's was in talks with them following the attack, but claimed the auction house stopped engaging, prompting the recent escalation from the miscreants.

With Christie's being among the most recognizable names in the auctioning world, routinely selling art, jewels, and other valuables for sums deep into the multi-millions, it's as obvious and attractive target for cybercriminals as is a big corporate entity. The potential for a lucrative payout is theoretically very real.

However, if RansomHub's boasts are true, Christie's has seemingly refused to pay up until now and as ESET's global cybersecurity advisor Jake Moore says, events such as the LockBit leaks this year have shown that cybercriminals don't keep their promises even if a payment is made.

"With a sizable chunk of sensitive data being placed on the internet to prove the attackers mean business, Christie's are playing hardball by not immediately paying the ransom – a route more and more companies are choosing to go down," he said. 

"When backup resources are in place and recovery times do not impact business procedures, this is the preferred option. However, the cost of data damage control is where the focus is positioned but this is often difficult to put a value on. Even if Christie's were to pay the ransom, there is no guarantee that the rest of the data wouldn't surface online in the future as it is unlikely to be destroyed once demands are met."

RansomHub has emerged as a dominant player in the ransomware ecosystem in its short tenure on the scene. First spotted as recently as February this year, it has already cemented itself as a top-three group, according to the latest figures from NCC Group.

Little is known about who is behind the gang, although suspicions of it being an ALPHV rebrand were flying after RansomHub threatened to extort Change Healthcare – making it the second group to do so.

Others believe that the ALPHV affiliate responsible for the Change Healthcare attack simply switched allegiances after ALPHV refused to pay them their cut of the deal and instead made off with the entire $22 million ransom payment

In ALPHV's ranks, before it pulled the exit scam and folded, affiliates would typically expect to receive around 80 percent of the ransom payment. ®

More about


Send us news

Other stories you might like