On June 3, clients of Christie’s filed a class-action lawsuit against the art world’s most expensive auction house for a data breach in which their personally identifiable information (PII) was stolen and put up for sale on the dark web in May.
The complaint, filed in the Southern District of New York, alleges that as “a direct result of [Christie’s] failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect consumers’ PII from foreseeable and preventable cyberattacks, data thieves have already engaged in identity theft and fraud and can in the future commit a variety of crimes” using the stolen information.
The compromised information allegedly includes full names and scans of passports and driver’s licenses, which Christie’s said it is required to store for identification purposes. On these scans are passport numbers, birthdates, birth places, addresses, and other PII that identity thieves can use to open fake financial accounts to obtain loans, the lawsuit alleges.
Christie’s maintains that none of its clients’ financial or transaction information was taken. It filed a report of the cyber breach with the Attorney General of California and is offering a complimentary 12-month subscription for an identity theft and credit monitoring service to all of its clients.
The stolen PII belongs to approximately 500,000 current and former buyers who have participated in Christie’s auctions, which, given the significant wealth of most Christie’s clients, represents a huge treasure trove for identity thieves and scammers using social engineering (phishing) techniques to siphon money from the unsuspecting.
On May 27, the cybercriminal group RansomHub claimed it was behind the intrusion, and after negotiations with Christie’s to obtain a ransom failed, it put the customer database up for sale on the dark web for an undisclosed sum. It’s conceivable that RansomHub may be turning the tables on Christie’s buyers and auctioning their information to the highest bidder.