As Christie’s struggled to deal with a historic cyber “incident” that crippled its website before a week of crucial auctions earlier this month, one of the unanswered questions was whether the incident was only an outage of the company’s website engineered by malicious parties (which would have been bad enough) or whether client data was actually compromised. 

That question would seem to be answered. According to one expert, ransomware gang RansomHub has indicated that it has sensitive data on the auction house’s clients and has issued an implicit threat to publicize the information. 

Brett Callow, a threat analyst at Esmisoft, a cybersecurity firm based in New Zealand, posted on X an image of a post from the RansomHub site with a blurred sample of some of the information contained in the trove.

“While utilizing access to Christies network we were able to gain access to their customers sensitive personal information… for at least 500,000 of their private clients from around the world,” read the announcement in part, indicating some of the data points and adding “and much more.” 

“We attempted to come to a reasonable solution with them but they ceased communication midway through,” it continued.

RansomHub has listed Christie’s #ransomware #christies pic.twitter.com/V98EA2jFmh

— Brett Callow (@BrettCallow) May 27, 2024

Referring to the General Protection Data Regulation, the European Union information privacy regulation passed in 2016, the group said: “It is clear that if this information is posted they will incur heavy fines from GDPR as well as ruining their reputation with their clients and don’t care about their privacy.”

RansomHub is the same extortion group that offered information from Change Healthcare, a branch of United Health Group subsidiary Optum, for sale in April. Change Healthcare took in $3.48 billion in revenue in 2022. Callow was one of the first to post that information as well, according to SC Media.

According to Callow, the group started one-week countdown clock when it posted the announcement. While he didn’t know the amount RansomHub is demanding, he offered two points of comparison.

“The biggest ransom demanded to date is $240 million, made to [electronics retail giant] MediaMarkt, which wasn’t paid,” he said. “The biggest known to have been paid is $40 million, which was asked from [commercial insurer] CNA Financial Corporation.”

Christie’s is downplaying the threat.

“Our investigations determined there was unauthorized access by a third party to parts of Christie’s network,” said the auction house in a statement. “They also determined that the group behind the incident took some limited amount of personal data relating to some of our clients. There is no evidence that any financial or transactional records were compromised.

“Christie’s is currently notifying privacy regulators, government agencies as well as in the process of communicating shortly with affected clients,” said the house.

The attack on Christie’s led to the auctioneer’s website being down for some 10 days during its crucial New York sales week, which included a $114.7 million sale of contemporary art and a $413 million 20th-century art sale. While some experts said that the attack could be “devastating,” others said that Christie’s could be counted on to conduct solid sales using traditional means, and that prediction seemed to be borne out.

This is a developing story. We will update it as more information becomes available.