Just before the New York May sales, with up to $1.8bn worth of art coming up for sale, Christie’s suffered a devastating cyber security breach. On 9 May its online site went down, to be replaced with an apology.
What the firm initially called a “technology security issue” lasted a full nine days. The hackers presumably demanded a ransom: did Christie’s pay out? It seems not, since the cyber criminals RansomHub then posted a blurred image of the firm’s client data on the dark web claiming they had access to the personal details of 500,000 of the firm’s clients around the world.
Christie’s is not alone: cyberterrorism is targeting companies and institutions across the board. Just two years ago, the French site Reflets published, on the dark web, hacked emails from Sotheby’s owner Patrick Drahi, about his $750m collection and communications with tax advisers. The hackers, Hive, demanded €5m to take it down and seem to have obtained it, since the information disappeared.
“Everyone is vulnerable, nobody is completely safe!” says Kirsten Whitfield, a partner in the Fieldfisher Data team and the co-head of the cyber breach practice. She continues: “And the progress in artificial intelligence is just accelerating bad actors’ capabilities of finding and exploiting vulnerabilities.
“Unfortunately, this remains a lucrative business, and it is not going away, and again unfortunately it is a huge amount of work to take the hackers down,” she says.
Is the art trade particularly vulnerable? I asked Paul Hawkins, the chief information security officer of the data security company CipherStash.
“In this particular scenario there are two things that stand out,” he says. “Firstly, Christie’s holds data about extremely wealthy people who might not like their financial dealings for high value assets being made public. And secondly, the nature of the event: an auction takes place at a specific time and so there is the potential for significant impact.”
He continues: “And then it may be that cyber criminals think that performing attacks is easier in the art industry, where information technology is not a core part of the business, and where there are significant sums of money involved.”
I ask both specialists about paying ransoms: doesn’t it just encourage more attacks?
“We tell clients there is no right answer,” Whitfield says. “The Information Commission Office [data protection regulator] discourages organisations from paying, and in some jurisdictions it could be a criminal offence. A public backlash is also possible. And you must remember that even if you pay the ransom, there is no guarantee they will not use the data anyway.”
Hawkins concurs: “The best way to not pay a ransom is to not need to pay a ransom, protecting yourself by using all the foundational security systems. Even if a ransom is paid there is no guarantee that you'll recover the data or systems. Double ransoms are a thing and cybercriminals can’t be trusted."
Christie’s has been contacting all clients who might be impacted, stating that “there was no evidence that any financial or transactional records were taken, for any clients,” and offering 12 months of identity theft protection and monitoring services. Despite this, a class action suit has just been brought by a Dallas-based client, alleging Christie’s inability to protect the “personally identifiable information” (PII) of current and former bidders registered in its databases.
As Whitfield says: “Sadly, cybercrime is a fact of life today.”