Christie's
Image: Ronan Dorard

Christie's confirmed that it suffered a security incident earlier this month after the RansomHub extortion gang claimed responsibility and threatened to leak stolen data.

Christie's is a prominent auction house with a history spanning 2.5 centuries. It operates in 46 countries and specializes in selling art, luxury items, and high-valued collectibles.

Christie's has handled numerous notable auctions such as Leonardo da Vinci's Salvator Mundi for $450 million in 2017, the Yves Saint Laurent and Pierre Bergé collection for 370 million euros in 2009, and Paul Allen's art collection that surpassed $1.5 billion in 2022.

Yesterday, the RansomHub ransomware group added Christie's on its extortion page on the dark web, claiming it had breached the company and stole sensitive client data.

A Christie's spokesperson confirmed to BleepingComputer that the company had suffered a data breach that impacted some clients.

"Earlier this month Christie's experienced a technology security incident. We took swift action to protect our systems, including taking our website offline," confirmed the spokesperson.

"Our investigations determined there was unauthorized access by a third party to parts of Christie's network."

"They also determined that the group behind the incident took some limited amount of personal data relating to some of our clients."

The spokesperson noted that there is no evidence that any financial or transactional records were compromised due to this incident.

Christie's says it is notifying privacy regulators and government agencies and will also inform all affected clients through personalized communication.

RansomHub extortion

RansomHub listed Christie's on its extortion portal, giving the company a little over five days at the time of writing, before they leak the company's stolen data.

RansomHub is a relatively new extortion group that demands ransom payment from victims in exchange for not publishing and deleting data stolen in attacks.

Ironically enough, the threat actors often auction the stolen files, sharing them exclusively with the highest bidder.

RansomHub
Source: BleepingComputer

The cybercriminals claim to hold the full names, physical addresses, ID document details, and various other sensitive information of 500,000 Christie's clients.

Interestingly, RansomHub uses reputation loss and heavy GDPR fines as a lever of pressure in its announcement of Christie's.

The attackers also allege that they attempted to negotiate a resolution with the auction house, but the former abandoned the effort midway.

While many consider RansomHub to be a ransomware gang, no encryptor has been found for the operation, indicating that they currently only conduct data theft attacks or partner with other threat actors to help extort companies.

This was seen after the recent Change Healthcare/United Health ransomware attack when RansomHub's site was used to leak samples of files stolen by a BlackCat ransomware affiliate, attempting to extort the American healthcare giant.

Related Articles:

Christie's starts notifying clients of RansomHub data breach

Infosys McCamish says LockBit stole data of 6 million people

Change Healthcare lists the medical data stolen in ransomware attack

Panera Bread likely paid a ransom in March ransomware attack

Frontier warns 750,000 of a data breach after extortion threats