The email was posted to X by Belgian art collector Alain Servais. A Christie’s representative confirmed the authenticity of the email.

The May 9 attack was characterized by Christie’s as a “technology security issue” before being claimed as a hack by the cyber-extortionist group RansomHub in a message on the dark web this past Sunday. The hack forced Christie’s to shut down its website just days before the marquee auction sales in New York, which many hoped would lend clarity to a more than usually opaque art market. 

In the email posted by Servais, Christie’s described the hackers as “an unauthorized third party” and said that they accessed their IT network “for a limited period of time” and downloaded certain client data from Christie’s internal client verification system that houses information relating to client ID checks they are required to retain for compliance reasons. The data included personal information from photographic identification documents like passports and drivers licenses; it did not include photos, signatures, contact details, financial data, or transaction-related information, the email said.

Christie’s said further that it has taken steps to secure their systems, and have informed authorities. They have not yet found evidence of data misuse related to the attack. 

As a result of the attack, Christie’s is offering clients one year of free identity theft protection and has recommended vigilance against phishing and fraud. They also recommended that clients monitor their accounts for unusual activity, use strong passwords, and “be alert to the risk of phishing and any related fraud including any emails asking you to enter login credentials, provide financial information or give up any other personal data.”

Despite the attack and lack of a traditional website during the May auction week, Christie’s fared well, bringing in $114.7 million for the Rosa de la Cruz and 21st Century sales and $413 million during its 20th Century evening sale.

Late this past Sunday, RansomHub, a group of cyber-extortionists, claimed responsibility for the apparent hack of Christie’s previously at perhaps the most inopportune time for the auction house: New York Auction Week.

In a message posted to the dark web, the group shared an image containing a sample of the data taken in the attack, which it said included “sensitive personal information” concerning the auction house’s rarefied clientele. The message also had a timer counting down to RansomHub’s threatened release of the data, set to hit zero by the end of May.

This is just the latest development in what CEO Guillaume Cerutti euphemistically termed a “technology security incident” earlier this month, which caused a shutdown of the house’s website. For the entirety of May’s marquee auctions, clients had to make bids in person, by phone, or through a temporary site. Luckily for Christie’s, the incident didn’t appear to derail the sales—all the auctions went on as planned and the sales totaled more than $640 million—and the website has since been restored.

“Subsequent to the breach, everything seems fine,” art adviser Mary Hoeveler told ARTnews. But, she added, a big question remains: What information, if any, did the bad actor collect?

In a statement published this past Sunday, a Christie’s spokesperson, Edward Lewine, confirmed that “there was unauthorized access by a third party to parts of Christie’s network.” However, he added, the company’s investigations found no evidence that the hackers had compromised “any financial or transactional records,” taking only “a limited amount of personal data.”

If that is truly so, it would explain why the auction house appears to have taken a hard line with RansomHub: a dark-web message from the group said it “attempted to come to a reasonable resolution,” but Christie’s cut off communication halfway through negotiations.

Like many sectors, the art market is facing a growing onslaught of cybersecurity threats. In the broader economy, the number of online attacks small businesses experienced in 2023, for instance, increased 28 percent from the year prior, according to a report by the nonprofit Identity Theft Resource Center.

“When it comes to data breaches and hacks, auction houses and galleries are no different from, say, financial institutions or car companies,” art market lawyer Thomas C. Danziger told ARTnews via email. “To a savvy hacker, the Monet consignor’s personal data may be worth as much as his bank PIN code.”

The incident at Christie’s is not the auction house’s first, nor is it the art and culture sector’s only recent tech threat.

This past December, Gallery Systems, a software company that museums use to display their collections digitally and to manage documentation, saw their operations suddenly cease in an apparent cyberattack. In 2021, dealers who exhibit at Art Basel received an email from the fair stating that its parent company experienced a malware attack that potentially exposed their data. And years before that, several galleries and individuals in the United States and overseas were targets in an email scam in which hackers hijacked invoices from galleries to clients, and collected on them.

What makes auction houses, museums, and galleries particularly vulnerable is their clientele: high-net-worth individuals with coveted financial information. Possessing sensitive details about those with immense wealth, some in the industry think art institutions and businesses should do more to safeguard against potential breaches.

“Unfortunately, what we see is … a degree of risk tolerance that you would never typically see in the physical security realm,” Jordan Arnold told ARTnews; a former Manhattan prosecutor, he is a cofounder and partner in the ArtRisk Group, a risk advisory and investigative firm focused on fine art, antiquities, and collectibles.

Arnold said most businesses functioning in the art sphere would never allow unlocked doors or windows in their spaces. Yet, some are doing the digital equivalent.

While large, private institutions usually have the capital to maintain robust digital security systems and teams, it’s a heavier financial burden for small, nonprofit, and state-run entities. Remigiusz Plath, a board member of the International Committee for Museum Security, told ARTnews that cybersecurity has been top of mind for museum members. But he added that hiring the most qualified people to lead cybersecurity teams is a challenge, given that the private sector offers higher salaries.

“The market is so competitive,” Plath said. “They are extremely hard to find, especially for museums and cultural institutions.”

Few doubt that large institutions, from museums to auction houses, already have some cybersecurity measures in place. But whether they and the larger art world have enough is another matter.

“I think they do the minimum required as they understand it,” art adviser Todd Levin told ARTnews. “I don’t know if they even fully understand what they might actually have to do.”

Cybersecurity has been a priority for Levin for years. His security practices for his own business include keeping a separate dedicated server for client information that isn’t connected to the internet and to which only he has access.

One reason clients decide to work with him, Levin said, is because “I don’t have multiple young employees and interns with access to clients’ private computer data, seeing what artworks they own, what they paid, when they bought it, where it’s located, what it’s insured for, et cetera.”

Hoeveler said she maintains similar practices, what she refers to as “good security hygiene.” She utilizes multi-factor authentication and makes sure staff is trained to detect phishing scams.

Simple and uncomplicated as they seem, basic precautions like educating employees to recognize email and online threats and to run regular backups go a long way. The number of attacks in which cybercriminals exploited system vulnerabilities—weak passwords, outdated web browsers, and design flaws—saw a 180 percent increase in a one-year period, according to Verizon’s 2024 Data Breach Investigations Report.

“Basically, if we just raised the bar for the bad guys, it would make it dramatically harder for them,” Jason Hong, a computer science professor at Carnegie Mellon University, told ARTnews.

Now that even semi-sophisticated cybercriminals can purchase ransomware at the touch of a button or employ a chatbot to write a compelling scam email, shoring up cybersecurity has never been more important.

While not intending to alarm, Arnold said that the reality is, it’s never been simpler to stage a cyberattack. “And it seems, with the advent of things like automation and AI, it’s only getting easier.”

Teasing a fake Louis Vuitton x Beeple collaboration, the hacker first tweeted out a raffle entry and then a link where followers could claim one of 200 free NFTs Beeple was supposedly offering.

“Stay safe out there, anything too good to be true IS A FUCKING SCAM,” Beeple tweeted Sunday morning. “And as side note, there will never be a SURPRISE MINT I mention one time in one place starting at 6am Sunday morning. 🤦‍♂️”

While it’s yet unclear exactly how much money was lost, Harry Denley, a developer and security expert at MetaMask, estimated that the first scam link resulted in the loss of 36ETH, or approximately $73,000, he said in a series of tweets. The second link, he said was more sophisticated and was able to drain wallets of Ethereum, Wrapped Ether (a token pegged to Ether) and NFTs, resulting $438,000 in losses, according to his calculations.

Beeple, whose real name is Mike Winkelmann, told ARTnews that it is impossible to know if money was actually lost in the hack.

“Not sure if you’re aware but it’s literally impossible to see if ANY money was stolen,” Beeple told ARTnews in a text. “Anyone can just make a wallet and then transfer the money to it to make it ‘appear’ [that] they lost money through washtrading. Which people do to then try to get someone to give them a ‘refund’.”

Bad actors continue have access to Beeples Twitter account and they have now tweeted another phishing domain.

This one just prompts the user to send ETH to an EOA (0xcad7fc974F61A08ADEF110D1BA446fa5b5B5Bb27).

Infra: 44.227.238.106 pic.twitter.com/HzTga1OvNK

— harry.eth 🦊💙 (whg.eth) (@sniko_) May 22, 2022

Beeple is arguably the most famous digital artist in the world following his record breaking sale of the NFT Everyday’s: The First 5,000 Days at Christie’s for $69.3 million last March. With a large following of 673,200 people and a trustworthy reputation, Beeple was a perfect target for this kind of scam.

Twitter user Nate Jones, a warehouse material handler in Indiana, was one of many responding to Beeple’s tweets in disappointment about the hack. Unlike Jones, many requested that the artist offer refunds or claimed to have lost life savings, though such claims would be difficult to verify.

“I woke up and saw the post by Beeple and assumed it real, because he is verified,” Jones told ARTnews in a direct message. Jones described hurrying to get the money in his account to enter the raffle and trying to push two transactions through. “It was a complete fingers crossed moment, hoping to hit on a free art work essentially.”

Jones said he lost less than a couple of dollars. A screenshot he sent of the transaction showed that the link he clicked was for a free raffle and that he only had to pay the gas fee. This is odd on two counts, first, that Jones didn’t have to pay more for the raffle, and second, that his gas fees were unusually low. These hacks often affect different victims differently, and it’s hard to know why.

The crypto space has been hit by a number of hacks this year.

Last month, the Bored Ape Yacht Club’s Instagram page was hacked, which resulted in a loss of $3 million worth of assets in a phishing scam. Just last week, comedian Seth Green reported that he had lost several NFTs to a phishing scam.