Share this article on:
The ransomware gang behind Christie’s auction house cyber attack has sold the stolen data after the firm refused to pay a ransom.
Christie’s first reported a “technology security issue”, which made its website inaccessible on 9 May.
“We apologise that our full website is currently offline. We are looking to resolve this as soon as possible and regret any inconvenience,” the website said.
According to reports, alongside the website being inaccessible, users looking to access the website were redirected to a page that displayed the locations of a number of artworks.
The auction house later confirmed that a cyber attack caused the outage, but it still went ahead with its $840 million spring auction.
RansomHub then claimed responsibility, suggesting that while ransom negotiations had taken place, Christie’s cut contact with the group.
“We attempted to come to a reasonable resolution with them but they ceased communication midway through,” said RansomHub, which set a 3 June deadline for ransom to be paid.
Now, with RansomHub not being paid by the auction house, the group has sold the data to the highest bidder, announcing that the data has been sold on its dark web leak site.
According to the ransomware group, the data exfiltrated belongs to Christie’s customers and includes first and last names, birth date, birthplace, sex, nationality, full MRZ (Machine Readable Zone found on passports, IDs and visas) code, and some document data, including document category, document type, issuing authority, issue date and expiry date.
RansomHub said it has this data “and much more for at least 500,000 of [Christie’s] private clients from all over the world”.
While the auction house did not release a formal statement addressing RansomHub’s mention of ransom negotiations, Christie’s responded to Cyber Daily’s request for comment confirming that data had been exfiltrated.
“Earlier this month, Christie’s experienced a technology security incident. We took swift action to protect our systems, including taking our website offline. Our investigations determined there was unauthorised access by a third party to parts of Christie’s network,” said the spokesperson last month.
“They also determined that the group behind the incident took some limited amount of personal data relating to some of our clients. There is no evidence that any financial or transactional records were compromised.
“Christie’s is currently notifying privacy regulators, government agencies as well as in the process of communicating shortly with affected clients.”
Speaking with The Register, the auction house confirmed that identification documents belonging to some of its clients had been exfiltrated.
“Our investigations determined there was unauthorised access by a third party to parts of the Christie’s network. They also determined that the third-party group accessed client names and, for a subset of clients, took some other personal identity information. There is no evidence that any financial or transactional records were taken, for any clients,” Christie’s told The Register.
“The personal identity data came from identification documents, for example, passports and driving licences, provided as part of client ID checks, which Christie’s is required to retain for compliance reasons. No ID photographs, signatures, email addresses, or phone numbers were taken.”