A Data Breach at Christie’s Revealed Exact GPS Coordinates of Collectors’ Artworks

If you uploaded photographs of your art to Christie's, the location of your collection might have been available to the public.

Christie's 20th/21st Century: London Evening Sale, February 28, 2023. Photo courtesy of Christie's Images Limited 2023.

A data breach at Christie’s auction house has revealed the exact whereabouts of art owned by some of the world’s wealthiest collectors.

Hundreds of Christie’s clients who had uploaded photographs of their prized paintings and sculptures for the auction house’s review were affected by the cybersecurity incident. Researchers Martin Tschirsich and André Zilch of the German cybersecurity research company Zentrust Partners uncovered the breach when a friend asked them to check how secure the auction house’s data was.

“Unfortunately, it only took us a few minutes to come across this serious vulnerability,” Tschirsich told the Washington Post. “The vulnerability is so simple that it can be exploited by anyone with a browser within a few minutes.”

“Around 10 percent of the uploaded images contain exact GPS coordinates,” the researchers told the Post.

That means that their photographs don’t just contain the street address of where they were taken, but the artworks’ exact location within just a few feet.

This kind of vulnerability can be part and parcel for doing business online, with most would-be clients of major auction houses communicating over the internet before agreeing to consign a work.

The team at Zentrust Partners alerted Christie’s to the breach in July, but the issue was only fixed this week. When Tschirsich and Zilch offered to help resolve it—work they often do free of charge, including for the German health care system and election board—the auction house insisted that “we do not require any advice or assistance,” according to the Post report.

“As cybersecurity researchers we were very surprised by this reaction,” Zilch said, noting that the fix could have been made in a matter of days, if not hours.

It’s unclear if the auction house will communicate directly with clients whose data was compromised. A German professor who recently sent photographs to Christie’s told the Post that the auction house had not spoken to him about the breach, and that the paper’s investigation was the first he had heard of the issue.

“Christie’s respects its clients concerns about privacy and treats the protection of client information as a top priority. We maintain a comprehensive information security program comprised of safeguards designed to protect against unauthorized access to and disclosure of client information,” the auction house said in a statement provided to Artnet News. “As part of that program, we continuously assess our security safeguards, thoroughly address issues relating to the security of our clients’ information, and comply with our legal and regulatory obligations, including with respect to notifying our clients and applicable regulators.”

 

More Trending Stories:  

An 1837 Portrait of an Enslaved Child, Obscured by Overpainting for a Century, Has Been Restored and Acquired by the Met 

Rising Artist Ronan Day-Lewis’s ‘Punk Romanticism’ Imbues Desolate American Landscapes With an Eerie, Cinematic Aura 

Why Did Yoko Ono’s Arboretum Art Installation in New York Shut Down Early? ‘Unfortunately, Trees Died’ 

LGDR Gallery Splits Up After Less than Two Years as Founding Partner Jeanne Greenberg Rohatyn Departs 

Photographers Recreate Old Master Paintings in Witty and Profound Ways in a New Show at a Princeton University Art Gallery 

Blue-Chip Artworks Seized From Top Portuguese Collector Will Be Featured in New Art Museum in Lisbon 

Once Celebrated and Then Forgotten, the French Artist Marie Laurencin Is About to Step Into the Limelight Again, Three Decades After Her Death 

 

Article topics