Christie’s hackers say data of 500K clients stolen

The hacker group behind the Christie’s attack claims to have obtained the personal details of “at least” half a million of the famous auction house’s clients. The auction house confirmed limited amount of client data was stolen.

A ransomware cartel calling itself RansomHub has claimed the attack against Christie’s auction house. Earlier this month, Christie’s website was shut down right before a sales day, which was expected to bring in around $840 million.

The attackers posted Christie’s on their dark web blog, which the gang uses to showcase and threaten its victims. They say that they managed to penetrate the auction house’s network and obtain sensitive customer data.

The stolen data supposedly includes names, surnames, dates of birth, places of birth, document numbers, document expiration dates, nationalities, and other personal information. The attackers claim that the extent of the attack encompasses half a million of Christie’s clients.

Christie's data sample
Attackers' post on the dark web blog. Image by Cybernews.

Meanwhile, Christie's spokesperson explained that an investigation into the cyber incident did reveal some customer data was stolen during the attack.

“Our investigations determined there was unauthorised access by a third party to parts of Christie’s network. They also determined that the group behind the incident took some limited amount of personal data relating to some of our clients. There is no evidence that any financial or transactional records were compromised,” the spokesperson said.

The auction house added that it is in the process of “notifying privacy regulators, government agencies as well as in the process of communicating shortly with affected clients.”

The sample that RansomHub provides includes some of the information attackers claim to have stolen. However, ransomware gangs sometimes overstate the importance of the stolen data to pressure victims into meeting their ransom demands.

However, the attackers themselves claim that ransomware negotiations with Christie’s have failed, with the auction house refusing to pay the ransom. Law enforcement authorities advise against paying cybercriminals as they’re incentivized to repeat attacks against victims who pay. Moreover, it’s impossible for victims to be certain that attackers will delete the stolen data once the ransom is paid.

Christie’s has been operating for nearly 260 years and is one of the world’s best-known auction houses. Last year, the organization reported revenue exceeding $6.2 billion.

A security incident at the auction house in 2023 affected photographs of paintings and sculptures that collectors had uploaded to the site for review.

Nearly ten percent of the images contained GPS coordinates pointing to the location of the artworks. According to researchers behind the discovery, Christie’s ignored the bug for over two months and only fixed the issue after the media contacted them.

RansomHub is a relatively new player in the ransomware ecosystem, having posted its first victim in February 2024. Analysts claim that the gang’s setup closely resembles a traditional Russian ransomware setup, with the gang avoiding targets in Russia, CIS countries, Cuba, North Korea, and China.

According to Ransomlooker, Cybernews’ ransomware monitoring tool, RansomHub has victimized at least 45 organizations since the gang started operating in February.