A hacker group called RansomHub said it was behind the Cyber attack which hit Christie's website just days before the big spring sales began, forcing the auction house to resort to alternatives to online bidding.
In a post on the dark web on Monday, the group claimed it had accessed sensitive information about the world's wealthiest art collectors, posting only a few examples of names and birthdays. It was not immediately possible to verify RansomHub's claims, but several cybersecurity experts said it was a known ransomware operation and the claim was plausible. It was also not clear whether the hackers had gained access to more sensitive information, including financial data and customer addresses. The group said it would release the data and set a countdown timer that would reach zero by the end of May.
At Christie's, a spokesperson said in a statement: “Our investigation revealed that there was unauthorized access by a third party to parts of Christie's network.” The spokesman, Edward Lewine, said the investigation “also revealed that the group behind the incident took a limited amount of personal data from some of our customers.” He added: “There is no evidence that financial or transaction data has been compromised.”
Hackers said Christie's failed to pay a ransom when demanded.
“We tried to reach a reasonable resolution with them, but they stopped communicating halfway through,” the hackers wrote in their dark web post, which was reviewed by a New York Times reporter. “It is clear that if this information is posted, they will face heavy fines from GDPR and ruin their reputation with their customers.”
GDPR, the General Data Protection Regulation, is an information privacy law in the European Union that requires companies to disclose when cyber attacks may have compromised customers' sensitive data. Failure to comply with the law includes, among other things possible fines on companies that can amount to more than $20 million.
Cybersecurity experts said RansomHub has emerged in recent months as a particularly powerful ransomware group with possible connections to ALPHV, a network of Russian-speaking extortionists blamed for a cyber attack about Change Healthcare earlier this year. Hackers in that case appeared to be received a $22 million payment from the company's owner, UnitedHealth Group, although United never admitted to sending the money. RansomHub will be released in April mention Change Healthcare was one of the victims and claimed to be in possession of four terabytes of stolen data.
“We know that Christie's had an incident and a known ransomware operation has now claimed responsibility,” said Brett Callow, a threat analyst at the cybersecurity firm Emsisoft. “There is no real reason to doubt the claims.”
Christie's had done just that ahead of the big spring sales largely downplayed the reach of the cyber attack, which hampered its website earlier this month. Many customers only learned about the hack from a New York Times reporter, and the company preferred to describe the hack as a “technological security incident.” The strategy seemed successful and the auction results – while lukewarm – showed little indication that buyers and sellers were therefore more conservative with their bids.
But in the auction house, employees said panic ensued and little information was shared with regular staff. After the end of the spring sales season, which grossed $528 million, the company regained control of its website.
Lewine said, “Christie's is currently notifying privacy regulators and government agencies” and will “soon communicate with affected customers.”