Leading global auction house Christie’s has fallen victim to a data breach threatening the personal information of at least 500,000 private clients.

Christie’s – which has auctioned works from the likes of Pablo Picasso and Leonardo da Vinci – has been busy dealing with the cyber incident throughout most of May.

Earlier in the month, while trying to sell a range of art and other items worth an estimated $1.26 billion (US$840 million), the company reported a “technology security incident” which left customers unable to access its website.

While Christie’s eventually bought its website back online, the company has now confirmed it suffered a data breach after ransomware criminals threatened to leak a collection of stolen personal data from its clients on the dark web.

“Earlier this month Christie’s experienced a technology security incident. We took swift action to protect our systems, including taking our website offline,” a Christie’s spokesperson told Information Age.

“Our investigations determined there was unauthorised access by a third party to parts of Christie’s network.”

While the spokesperson did not confirm the method of attack to Information Age, the company did confirm a “limited amount of personal data” relating to some of its clients was taken during the breach.

RansomHub – the criminal outfit claiming responsibility for the attack – on Monday posted a listing for Christie’s on its dark web leak page, in which it boasts having stolen 2 gigabytes of sensitive information “for at least 500,000 of [Christie’s] private clients from all over the world”.

“While utilising access to Christie’s network we were able to gain access to their customers sensitive personal information,” wrote RansomHub.

“We attempted to come to a reasonable resolution with them but they ceased communication midway through.”

The criminal outfit posted an image which contains an alleged sample of the stolen data, including full names, birth dates, genders and a range of dataset fields labelled “Passport”, “IssuingLocation”, “DocumentNumber” and more.

The listing contains a countdown timer presumably threatening to leak the stolen data under threat of ransom.

At the time of writing, this timer is at approximately 4 days remaining.

Christie’s did not confirm to Information Age whether it was asked to pay a ransom, nor has it publicly verified RansomHub’s sample of allegedly stolen data, however the criminal group has already shared purportedly stolen information from victims across Canada, China and Indonesia.

A spokesperson for Christie’s emphasised there is “no evidence” of financial or transactional records being compromised during the breach, and the company is in the process of “communicating shortly with affected clients”.

RansomHub a rising threat

Although a relatively new threat actor, RansomHub is widely accepted as one of 2024’s most prominent threats – trailing just behind leading ransom outfit Lockbit with 23 victims in April.

On 25 February, RansomHub posted its first known victim, Brazilian accounting firm YKP, on a dark web listing similar to the current one for Christie’s.

Since then, it has gone on to claim responsibility for upwards of 50 breach victims, including Sydney-based retail design company Design Intoto and US drug testing service provider American Clinical Solutions.

Notably, RansomHub is believed to have recently recruited former affiliates of the notorious BlackCat ransom gang, which itself carried out a historical attack at US company Change Healthcare earlier this year.

After the attack, a BlackCat affiliated aired a public dispute with the gang regarding their unreceived share of a purported ransom payout.

BlackCat itself seems to have vanished following the unprecedented Change Healthcare attack, with RansomHub going on to temporarily advertise the stolen data for sale on its own dark web site.

While the identity and geopolitical affiliations of RansomHub’s members are currently unknown, its dark web site warns the group does not allow “CIS, Cuba, North Korea and China to be targeted”, suggesting its international members are either based in or prefer not to attack communist states.

Operating by a ‘ransomware-as-a-service’ model – where affiliates typically carry out attacks using the gang’s ransomware in exchange for a fee or cut of ransom payouts – RansomHub also draws a moral distinction at targeting non-profit organisations, and strictly forbids follow-up attacks on victims who have already paid out a ransom in a previous incident.

While many of RansomHub’s leak listings now advertise openly published sets of purportedly stolen data, some are instead placed up for auction on the gang’s dark web page.

As for the Christie’s data, it is unclear whether the group only intends to publish its proclaimed data leak or offer it up to the highest bidder.