If there’s one thing wealthy people have access to, it’s lawyers. As a result, a client of Christie’s recently filed an class-action lawsuit against the auction house after it experienced a cyberattack in May.
The incident, which Christie’s had previously referred to as a “technology security incident,” shut down its website for ten days before and during the house’s marquee New York sales.
The cyber-extortion group RansomHub claimed responsibility for the cyberattack on May 27. A dark-web message from the group also said it “attempted to come to a reasonable resolution,” but the auction house cut off communication halfway through negotiations. Christie’s emailed its clients on May 30 acknowledging the cyberattack, but said only identification data, not financial or transaction data, had been stolen.
The complaint filed in the Southern District of New York on June 3 alleges that Christie’s was unable to protect the “personally identifiable information”, or PII, of its clients, of which is estimated to be at least half a million current and former buyers in its databases. The complaint describes the breach as “a direct result of [Christie’s] failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect consumers’ PII from a foreseeable and preventable cyberattack”. The complaint filed also alleges that “data thieves have already engaged in identity theft and fraud and can in the future commit a variety of crimes” using the stolen information, which it said includes full names, passport numbers, as well as other sensitive details from passport scans, including dates of birth, birth places, genders, and barcode-like “machine-readable zones” or MRZs.
The complaint alleges the breach of data resulted in multiple “concrete injuries,” including invasion of privacy; lost time and opportunity costs from “attempting to mitigate the actual consequences of the Data Breach.”
The lawsuit also states that Christie’s clients are also at risk of multiple forms of identity theft, including the possibility of bad actors opening fraudulent financial accounts and loans in the names of exposed individuals; illegally securing government benefits, or even acquiring identification with alternate photographs and “giving false information to police during an arrest”.
The only plaintiff currently named in the class-action lawsuit is Efstathios Maroulis, who is defined in the complaint as a resident and citizen of Dallas, Texas. Profiles on Instagram and LinkedIn matching Maroulis’ name and location said the individual was the founder and CEO of dental enterprise software company Jarvis Analytics, as well as the founder and CEO of digital marketing company Mesa Six. Jarvis Analytics was acquired by dental and medical supply company Henry Schein in 2021.
Messages from ARTnews to the Instagram and LinkedIn profiles believed to belong to Maroulis did not result in a response.
Maroulis’s complaint also argues that hackers with at least two forms of PII can use those illegally acquired details in combination with publicly available data found elsewhere to “assemble complete dossiers on individuals” with “an astonishingly complete scope and degree of accuracy”. The Art Newspaper, which first reported the lawsuit, noted that these dossiers, called “fullz” in hacker circles, “typically bring considerably higher prices on the dark web than partial records thanks to their considerably higher utility in perpetrating identity theft.”
The lawsuit’s definition of the scope of alleged harm as a result of the cyberattack also includes data brokers. Maroulis’ complaint alleges that clients affected by the data breach at Christie’s can no longer voluntarily sell their own personal data at full value as a result of its exposure from RansomHub, and that information “may also fall into the hands of companies that will use [it] for targeted marketing” without their consent or permission.
According to a document filed on June 5, United States District Court Judge Jesse M. Furman has ordered that counsel for all parties appear at a initial pre-trial conference at the court on September 10.
The auction house also filed a breach notification with the office of California Attorney General Rob Bonta. The letter states that Christie’s discovered it was the victim of a cybersecurity incident on May 9, engaged external cybersecurity experts, and notified law enforcement. The letter also states the auction house is offering a “complimentary twelve-month subscription to CyEx Identity Defense Total,” an identity theft and fraud monitoring service which would notify any changes to Experian, Equifax, and TransUnion credit reports.
The letter is signed by Christie’s chief operating officer Ben Gore. CyEx’s website states the reference value of “Identity Defense Total” at $19.99 per month.
A Christie’s spokesperson declined to comment to ARTnews on the lawsuit. When asked whether other breach notifications had been filed, a spokesperson wrote in an email, “Breach notifications have been issued to the appropriate authorities in line with continued compliance with GDPR and other relevant national and state regulations.”
Milberg Coleman Bryson Phillips Grossman, the law firm representing Maroulis, also had not responded to a request for comment from ARTnews by publication.
Despite the cyberattack, the auction house was still able to generate $114.7 million for the Rosa de la Cruz and 21st Century sales and $413 million during its 20th Century Evening sale in New York through bids by phone, in-person, and its online platform Christie’s Live.
News of the class-action lawsuit was first reported by The Art Newspaper. Brett Callow, threat analyst for the New Zealand–based cybersecurity firm Emsisoft, first posted news of the breach notification with the California Attorney General’s office on X.