Art & Tech
A Data Breach at Christie’s Revealed Exact GPS Coordinates of Collectors’ Artworks
If you uploaded photographs of your art to Christie's, the location of your collection might have been available to the public.
If you uploaded photographs of your art to Christie's, the location of your collection might have been available to the public.
Sarah Cascone ShareShare This Article
A data breach at Christie’s auction house has revealed the exact whereabouts of art owned by some of the world’s wealthiest collectors.
Hundreds of Christie’s clients who had uploaded photographs of their prized paintings and sculptures for the auction house’s review were affected by the cybersecurity incident. Researchers Martin Tschirsich and André Zilch of the German cybersecurity research company Zentrust Partners uncovered the breach when a friend asked them to check how secure the auction house’s data was.
“Unfortunately, it only took us a few minutes to come across this serious vulnerability,” Tschirsich told the Washington Post. “The vulnerability is so simple that it can be exploited by anyone with a browser within a few minutes.”
“Around 10 percent of the uploaded images contain exact GPS coordinates,” the researchers told the Post.
That means that their photographs don’t just contain the street address of where they were taken, but the artworks’ exact location within just a few feet.
This kind of vulnerability can be part and parcel for doing business online, with most would-be clients of major auction houses communicating over the internet before agreeing to consign a work.
The team at Zentrust Partners alerted Christie’s to the breach in July, but the issue was only fixed this week. When Tschirsich and Zilch offered to help resolve it—work they often do free of charge, including for the German health care system and election board—the auction house insisted that “we do not require any advice or assistance,” according to the Post report.
“As cybersecurity researchers we were very surprised by this reaction,” Zilch said, noting that the fix could have been made in a matter of days, if not hours.
It’s unclear if the auction house will communicate directly with clients whose data was compromised. A German professor who recently sent photographs to Christie’s told the Post that the auction house had not spoken to him about the breach, and that the paper’s investigation was the first he had heard of the issue.
“Christie’s respects its clients concerns about privacy and treats the protection of client information as a top priority. We maintain a comprehensive information security program comprised of safeguards designed to protect against unauthorized access to and disclosure of client information,” the auction house said in a statement provided to Artnet News. “As part of that program, we continuously assess our security safeguards, thoroughly address issues relating to the security of our clients’ information, and comply with our legal and regulatory obligations, including with respect to notifying our clients and applicable regulators.”
More Trending Stories:
Blue-Chip Artworks Seized From Top Portuguese Collector Will Be Featured in New Art Museum in Lisbon