Christie's confirms RansomHub crooks stole data on 45K clients

A far cry from the half-million claim that crims originally boasted

Auction house to the wealthy Christie's says 45,798 people were affected by its recent cyberattack and resulting data theft.

That's according to public filings made with US state attorneys general on Friday, which also included template letters that are being distributed to customers.

The letter templates didn't reveal the exact data types involved in the breach; instead, nondescript mail merge code is in its place. However, the public filing page in Maine states that the thieves stole both names and ID document numbers.

This description is broadly in keeping with RansomHub's claims. However, the attackers claimed much more information was stolen, including ID document details such as birthplace, dates of birth, home addresses, heights, and race.

That said, RansomHub appears to have vastly inflated the number of affected clients, initially saying more than 500,000 had their data stolen.

Christie's said in the letter to affected clients that it is still of the belief that the information stolen hasn't yet been misused, and offered 12 months of credit monitoring.

"On May 9, 2024, we discovered that we were the victim of a cybersecurity incident that impacted some of our systems," the letter reads. "As soon as we became aware of this event, we promptly took steps to secure our environment, launched an investigation, and engaged external cybersecurity experts to assist. We also notified law enforcement and continue supporting their investigation.

"The investigation revealed an unauthorized actor accessed some of our systems and certain files stored therein between May 8, 2024, and May 9, 2024, and some files were copied from those systems on May 9, 2024. We conducted a robust review of the files to identify individuals whose information may have been impacted and worked to obtain addresses and notify them as quickly as possible after completing the review on May 30, 2024."

El Reg asked Christie's if it had anything else to add but it didn't immediately respond.

The May incident appears largely wrapped up now after RansomHub threatened to leak the data but ultimately claimed to have auctioned it off themselves, if anyone can believe that.

Experts suspect it was instead more of a face-saving exercise. RansomHub likely struggled to monetize the data but rather than admitting that, they brashly claimed to have auctioned the auctioneer's data instead.

Suspicions of an attack first arose when Christie's website was brought down just days before an $840 million art auction was due to take place, owing to a "technology security issue."

Christie's finally went public with the news after RansomHub forced its hand, posting the company to its name and shame leak blog, along with a small sample of the alleged data it stole.

The posting shows Christie's didn't pay whatever ransom was demanded of it, unlike other major organizations in the US in recent months. RansomHub claimed a negotiation was taking place in the early stages, but talks broke down, which may have been a stalling tactic by Christie's as it tried to piece together what had happened. ®

More about


Send us news

Other stories you might like