Just a few weeks after its website was taken over by hackers in a major cyberattack as auction season was kicking into high gear, Christie’s is now the target of a class action suit alleging negligence, breach of implied contract, unjust enrichment, and violation of the New York deceptive trade practices act.
The lead plaintiff on the suit, which was filed June 3 in U.S. District Court for the Southern District of New York, is listed as Efstathios Maroulis, of Dallas, Texas. As The Art Newspaper noted, a person with the same name, based in Dallas, has the title of vice president and general manager of dental analytics and patient experience at a firm identified as Henry Schein One. Maroulis could not immediately be reached for comment.
Attorneys for Maroulis and the other plaintiffs are based in Long Island, New York, Washington, D.C., and Dallas, and did not immediately respond to a request for comment.
According to the complaint, Christie’s failed to “properly secure and safeguard sensitive information of its customers.” The plaintiffs said they entrusted their personal information to the auction house “on the mutual understanding that defendant would protect it against disclosure,” only to have it “targeted, compromised, and unlawfully accessed due to the data breach.”
The personal information compromised in the breach included the plaintiffs’ “full names, genders, passport numbers, expiration dates, dates of birth, birth places, MRZs, countries, and document numbers,” according to the complaint. MRZ refers to the “machine readable zone” in a passport that encloses the document holder’s personal data.
The complaint alleged that the information compromised in the data breach was “exfiltrated by cyber-criminals and remains in the hands of those cyber-criminals who target” the information for its value to identity thieves. As a result of the breach, the complaint alleged, roughly 500,000 class action members have been exposed to invasion of privacy, theft of information, and lost time and opportunity costs connected to attempting to mitigate the potential consequences of the breach.
RansomHub, a ransomware gang, has claimed responsibility for the hack. In a post on May 27, it threatened to leak the auction house’s client data unless a ransom was paid in a week. As the deadline neared, the hacker group put the data up for auction and has since claimed to have sold the data.
The 56-page complaint goes into extensive detail about Christie’s responsibilities and failure to protect the personal data, and the ongoing vulnerability that clients have going forward, specifically a “heightened and imminent risk of fraud and identity theft.”
Asked for comment, a Christie’s spokesperson said via email: “Since the cyber security incident occurred, we have been actively monitoring online activity for any mention of Christie’s or our data. As a result, we are aware that a cyber group has made a statement, as yet unverified, claiming that data taken from a limited part of our systems has been sold. We continue to have no evidence that financial or transactional records or copies of documents, signatures or photographs were taken. We have already notified those clients whose personal identity information was taken. We continue to comply with GDPR [General Protection Data Regulation] and other relevant national and state regulations.”
Christie’s declined to comment on the RansomHub’s bid to sell its data.
Its statement continued: “We would like to thank our clients for their continuing trust and support during this challenging time and, again, we express our regret for any inconvenience caused.”