The hackers who claimed responsibility for bringing down Christie’s website ahead of its spring art sales and threatened to sell personal information of at least 500,000 of the auction house’s clients if Christie’s failed to meet its demands by Monday have yet to initiate a full leak as of Tuesday morning.
RansomHub, a hacking group known for extorting businesses in exchange for stolen data, claimed responsibility May 27 for the attack, posting “a countdown clock on their extortion site along with a message suggesting they’d release client data, including names and passport details, on Monday morning,” according to Bloomberg.
Soon after, the group changed tact, deciding it would auction the data on the dark web, stating Christie’s had cut off negotiations after an attempt at a “reasonable resolution.”
According to a screenshot from the dark web shared by cybersecurity threat analyst Brett Callow, the hackers claimed the auction would follow “the rules of RansomHub and only sell once.” The group listed a number of categories of personal information it claimed to have obtained during the breach, including snippets of information regarding client driver’s licenses, ID cards, passport data and more — some of which has been leaked in small batches.
It appears this was an advertisement to possible buyers, as the group wrote “Find something you like in the sample, then contact us.”
Callow posted to Twitter that this threat appeared to be less worrisome than many would think, saying “It's extremely unlikely that anybody would want to buy the information, and this is simply a Hail Mary effort to squeeze some money from Christie’s.”
The current status of the illicit auction is unknown.
In a statement sent to clients affected by the data breach reviewed by Bloomberg, the auction house wrote: “Please rest assured we are treating this incident with the utmost seriousness. We have proactively informed the relevant authorities, which include the UK police (via ActionFraud) and the FBI, as well as relevant data protection regulators globally, where required.”
Callow told Artnet that it appeared the hackers were bluffing due to the lack of evidence provided at this juncture.
“What could have concerned Christie’s, and interested potential buyers, is the location of particular artworks or any financial information that would assist with committing identity-related fraud,” Callow told the art news outlet. “It’s a way of saving face when they are unable to monetize attacks. It’s not just about the current victim but about future victims as well. They don’t want them to think they can just refuse to pay and nothing will happen.”
Will Stern is a reporter and editor for cllct.