Editor’s Note: This story originally appeared in On Balance, the ARTnews newsletter about the art market and beyond. Sign up here to receive it every Wednesday.
Late this past Sunday, RansomHub, a group of cyber-extortionists, claimed responsibility for the apparent hack of Christie’s previously at perhaps the most inopportune time for the auction house: New York Auction Week.
In a message posted to the dark web, the group shared an image containing a sample of the data taken in the attack, which it said included “sensitive personal information” concerning the auction house’s rarefied clientele. The message also had a timer counting down to RansomHub’s threatened release of the data, set to hit zero by the end of May.
This is just the latest development in what CEO Guillaume Cerutti euphemistically termed a “technology security incident” earlier this month, which caused a shutdown of the house’s website. For the entirety of May’s marquee auctions, clients had to make bids in person, by phone, or through a temporary site. Luckily for Christie’s, the incident didn’t appear to derail the sales—all the auctions went on as planned and the sales totaled more than $640 million—and the website has since been restored.
“Subsequent to the breach, everything seems fine,” art adviser Mary Hoeveler told ARTnews. But, she added, a big question remains: What information, if any, did the bad actor collect?
In a statement published this past Sunday, a Christie’s spokesperson, Edward Lewine, confirmed that “there was unauthorized access by a third party to parts of Christie’s network.” However, he added, the company’s investigations found no evidence that the hackers had compromised “any financial or transactional records,” taking only “a limited amount of personal data.”
If that is truly so, it would explain why the auction house appears to have taken a hard line with RansomHub: a dark-web message from the group said it “attempted to come to a reasonable resolution,” but Christie’s cut off communication halfway through negotiations.
Like many sectors, the art market is facing a growing onslaught of cybersecurity threats. In the broader economy, the number of online attacks small businesses experienced in 2023, for instance, increased 28 percent from the year prior, according to a report by the nonprofit Identity Theft Resource Center.
“When it comes to data breaches and hacks, auction houses and galleries are no different from, say, financial institutions or car companies,” art market lawyer Thomas C. Danziger told ARTnews via email. “To a savvy hacker, the Monet consignor’s personal data may be worth as much as his bank PIN code.”
The incident at Christie’s is not the auction house’s first, nor is it the art and culture sector’s only recent tech threat.
This past December, Gallery Systems, a software company that museums use to display their collections digitally and to manage documentation, saw their operations suddenly cease in an apparent cyberattack. In 2021, dealers who exhibit at Art Basel received an email from the fair stating that its parent company experienced a malware attack that potentially exposed their data. And years before that, several galleries and individuals in the United States and overseas were targets in an email scam in which hackers hijacked invoices from galleries to clients, and collected on them.
What makes auction houses, museums, and galleries particularly vulnerable is their clientele: high-net-worth individuals with coveted financial information. Possessing sensitive details about those with immense wealth, some in the industry think art institutions and businesses should do more to safeguard against potential breaches.
“Unfortunately, what we see is … a degree of risk tolerance that you would never typically see in the physical security realm,” Jordan Arnold told ARTnews; a former Manhattan prosecutor, he is a cofounder and partner in the ArtRisk Group, a risk advisory and investigative firm focused on fine art, antiquities, and collectibles.
Arnold said most businesses functioning in the art sphere would never allow unlocked doors or windows in their spaces. Yet, some are doing the digital equivalent.
While large, private institutions usually have the capital to maintain robust digital security systems and teams, it’s a heavier financial burden for small, nonprofit, and state-run entities. Remigiusz Plath, a board member of the International Committee for Museum Security, told ARTnews that cybersecurity has been top of mind for museum members. But he added that hiring the most qualified people to lead cybersecurity teams is a challenge, given that the private sector offers higher salaries.
“The market is so competitive,” Plath said. “They are extremely hard to find, especially for museums and cultural institutions.”
Few doubt that large institutions, from museums to auction houses, already have some cybersecurity measures in place. But whether they and the larger art world have enough is another matter.
“I think they do the minimum required as they understand it,” art adviser Todd Levin told ARTnews. “I don’t know if they even fully understand what they might actually have to do.”
Cybersecurity has been a priority for Levin for years. His security practices for his own business include keeping a separate dedicated server for client information that isn’t connected to the internet and to which only he has access.
One reason clients decide to work with him, Levin said, is because “I don’t have multiple young employees and interns with access to clients’ private computer data, seeing what artworks they own, what they paid, when they bought it, where it’s located, what it’s insured for, et cetera.”
Hoeveler said she maintains similar practices, what she refers to as “good security hygiene.” She utilizes multi-factor authentication and makes sure staff is trained to detect phishing scams.
Simple and uncomplicated as they seem, basic precautions like educating employees to recognize email and online threats and to run regular backups go a long way. The number of attacks in which cybercriminals exploited system vulnerabilities—weak passwords, outdated web browsers, and design flaws—saw a 180 percent increase in a one-year period, according to Verizon’s 2024 Data Breach Investigations Report.
“Basically, if we just raised the bar for the bad guys, it would make it dramatically harder for them,” Jason Hong, a computer science professor at Carnegie Mellon University, told ARTnews.
Now that even semi-sophisticated cybercriminals can purchase ransomware at the touch of a button or employ a chatbot to write a compelling scam email, shoring up cybersecurity has never been more important.
While not intending to alarm, Arnold said that the reality is, it’s never been simpler to stage a cyberattack. “And it seems, with the advent of things like automation and AI, it’s only getting easier.”