RansomHub threatens to leak data of Christie’s auction house clients

The ransomware group RansomHub claimed responsibility for conducting a cyberattack on the British auction house Christie’s earlier this month.  

RansomHub is threatening to leak “sensitive personal information” from identification documents, including names, dates of birth and nationalities, according to a screenshot of the group’s dark website posted by Emisosft Threat Researcher Brett Callow on X Monday. RansomHub claims to have a total of 2GB of data of “at least 500,000” Christie’s clients from around the world.

The cybercrime group, which first emerged around February of this year, gained widespread attention last month when it recruited the former ALPHV/BlackCat affiliate that hacked Change Healthcare and threatened to leak the stolen data if a second ransom was not paid. RansomHub has since stated that the Change Healthcare data is up for sale.

The cyberattack on Christie’s, which auctions off billions of dollars-worth of art and luxury goods each year, caused the auction house to temporarily take down its main website on May 9.

During the outage, Christie’s CEO Guillaume Cerutti said in a statement on LinkedIn that the company was “managing this incident according to well-established practices supported by experts in the field.” One auction was briefly postponed as a result of the attack, while all other scheduled auctions proceeded as scheduled.

On Tuesday, following RansomHub’s claims, Cerutti shared an update on LinkedIn confirming that “a limited amount of personal data relating to some of our clients” was stolen after an unauthorized third party gained access to Christie’s network.

“There is no evidence of any financial or transactional data related to our clients or to Christie’s being taken or copied,” Cerutti wrote, adding that affected clients will be contacted within 48 hours of the post.

Cerutti’s statement did not confirm whether RansomHub was behind the attack, nor did it say how many clients were impacted by the attack.

RansomHub’s posting sets a deadline of approximately a week from Monday for Christie’s to pay an unspecified ransom amount, and claims that Christie’s “ceased communication midway through” negotiations.

“It is clear that if this information is posted they will incur heavy fines from GDPR as well as ruining their reputation with their clients and don’t care about their privacy,” the cybercriminals wrote.

Cerutti emphasized in his latest statement that Christie’s is complying with “all regulatory and governmental obligations” and has notified the appropriate privacy regulators of the breach.

Christie’s breach may expose information on high-profile clients

Clients of Christie’s have included royalty and other high-profile individuals, such as actor Leonardo DiCaprio, Saudi Prince Badr bin Abdullah Al Saud and billionaire real estate developer and prominent art collector Steve Wynn. Christie’s also allows buyers and sellers to remain anonymous and offers a “discreet” private sales service outside of its public auctions.

“High-end auction winners highly value their anonymity, often to protect personal privacy, financial security, and to avoid unwanted public attention or potential theft,” Ray Kelly, a security expert at the Synopsys Software Integrity Group, told SC Media in an email. “Moreover, this breach could damage Christie’s reputation, eroding trust with clients and potentially affecting future business.”

Christie’s requires individual buyers and sellers to provide a copy of a government-issued photo ID, such as a passport, in order to comply with anti-money laundering and sanction laws, “and to protect against fraud,” according to its FAQ. Organizations are also required to submit various documents including government-issued photo IDs for individuals authorized to big on behalf of the organizations.

What organizations can learn from the Christie’s ransomware attack

In an email to SC Media prior to RansomHub claiming responsibility for the attack, KnowBe4 Lead Security Awareness Advocate Javvad Malik commended Christie’s for demonstrating resilience by setting up an alternate website and enabling most of its auctions to continue despite the disruption.

“However, it raises pivotal questions about the security measures surrounding high-profile events and the preparedness for sophisticated threats, especially for institutions like Christie’s that are stewards of invaluable cultural and historical artifacts,” Malike said. “Their reliance on digital platforms, while enhancing accessibility and efficiency, also invites risks that must be mitigated with layered security measures, regular testing, and dynamic incident response plan that goes beyond traditional perimeter defense.”

Malik said the breach is a “critical reminder” for organizations to use simulated real-world attack scenarios when testing their cyber defenses and take a holistic approach to organizational cybersecurity.

“These tests shouldn’t just be conducted in isolation against IT systems, but should also test the people and procedures that they follow. Good security is no longer something that only the cyber team can achieve, but rather it needs a coordinated and concerted effort across all departments and colleagues to build a strong security culture,” Malik concluded.