The hacker collective known as RansomHub, which claimed responsibility for a cyberattack that led to Christie’s website being down ahead of several high-profile spring season sales this month, has threatened to leak personal data about the auction house’s clients.
RansomHub, which was behind another cyberattack last February on the healthcare payment management provider Change Healthcare, says it will publicize the data of “at least 500,000 private clients” by Friday, May 31, if Christie’s doesn’t pony up an undisclosed monetary amount.
In an updated statement regarding the cyberattack shared with Hyperallergic, a Christie’s spokesperson said that ongoing investigations “determined that the group behind the incident took some limited amount of personal data relating to some of our clients” and that “there is no evidence that any financial or transactional records were compromised.”
The technical disruption, which lasted from May 9 to May 18, didn’t appear to hinder any sales as Christie’s quickly set up a temporary website with lot information for various auctions, and clients were requested to bid via phone or in person. The auction house referred to the cyberattack as a “technology security incident” at the time and did not comment on whether client data had been breached.
On Monday, May 27, RansomHub took responsibility for the attack, according to the New York Times, and claimed to have retrieved personal information from half a million Christie’s clients. In a statement reportedly published on the so-called dark web, the group shared a screen-captured snippet of client information including full names, birthdates, sex, and nationality as proof, threatening to release all information unless the auction house paid up.
Brett Callow, a threat analyst at the New Zealand-based cybersecurity software firm Emsisoft, shared RansomHub’s extortion threat with the screen-captured data sample blurred out on X.
RansomHub claimed that it tried to find a “reasonable resolution” with Christie’s, but the auction house ceased communications after a certain point. The group also alleges that the auction house would be hit with heavy fines for violating the General Data Protection Regulation — a European Union law mandating that data controllers report data breaches that could cause harm to impacted individuals.
“Christie’s is currently notifying privacy regulators, government agencies as well as in the process of communicating shortly with affected clients,” the Christie’s spokesperson told Hyperallergic. The representative did not disclose how many clients may have been affected or how much money RansomHub was demanding, but maintained that there is no evidence that financial or transactional records were compromised.
