Thursday saw two new developments in the ongoing story of the historic hack against Christie’s auction house by the ransomware gang RansomHub. 

Christie’s sent clients a letter on the morning of May 30, detailing the client information that was compromised in the hack. It has also notified the Federal Bureau of Investigation and the British police about the attack. According to a statement from a Christie’s spokesperson, the hackers accessed client names and, for some, other personal identity information. 

“There is no evidence that any financial or transactional records were taken, for any clients,” said the house. “The personal identity data came from identification documents, for example passports and driving licenses, provided as part of client ID checks, which Christie’s is required to retain for compliance reasons. No ID photographs, signatures, email addresses or phone numbers were taken.”

The data from some clients’ passports included full name, gender, passport number, expiry date, and date and place of birth. From other IDs, such as drivers’ licenses or national identity cards, all data shown on the front of the cards was compromised, including name, date of birth, country, and document number.

What was not exposed was copies of the documents or contact information (if not listed on the document).

Some hours later, RansomHub offered the data at auction. “Let us sell the data by auction,” read RansomHub’s post on the dark web. “We abide by the rules of RansomHub and only sell once… Find something you like in the sample, then contact us.”

The gang threatened to release the information earlier this week. According to cybersecurity expert Brett Callow of New Zealand–based firm Emsisoft, that declaration was made around 3 p.m. on Thursday. Callow is not convinced this is a power move, posting on X: “It’s extremely unlikely that anybody would want to buy the information, and this is simply a Hail Mary effort to squeeze some money from Christie’s.”

#RansomHub claims it is selling Christie’s data by auction. It’s extremely unlikely that anybody would want to buy the information, and this is simply a Hail Mary effort to squeeze some money from Christie’s. #christies #ransomware 1/2 pic.twitter.com/CI8RHsUXGW

— Brett Callow (@BrettCallow) May 30, 2024

“What could have concerned Christie’s, and interested potential buyers, is the location of particular artworks or any financial information that would assist with committing identity-related fraud,” Callow said in a phone conversation. 

Referring to an earlier RansomHub post detailing what data it did have, he added: “The fact that they haven’t shown that they have any additional information, either for the purpose of putting further pressure on Christie’s or to attract buyers, would strongly indicate that they do not have any.”

Looking a few steps ahead, Callow pointed out that the gang might even claim to have sold the data, but that we should take such claims with a grain of salt.

“It’s a way of saving face when they are unable to monetize attacks,” he said. “It’s not just about the current victim but about future victims as well. They don’t want them to think they can just refuse to pay and nothing will happen.”