Iconic auction house Christie’s is in hot water, as adding insult to injury is a class action lawsuit that has emerged just weeks after its website was hacked. A Dallas-based customer filed a class action complaint in the Southern District of New York on June 3rd over Christie’s failure to protect “personally identifiable information” (PII). The auction house, founded in 1766 counts high net worth individuals from across the world as its clients.
The devastating cyberattack that unfolded in May 2024 not only compromised the plaintiffs’ “full names, genders, passport numbers, expiration dates, dates of birth, birth places, MRZs, countries, and document numbers,” per the lawsuit and also put at risk the personal information of roughly 500,000 class action members. This breach, orchestrated by the notorious RansomHub, a ransomware gang, was a direct threat to the privacy and security of Christie’s esteemed clientele. The hacker group even went as far as auctioning and selling the stolen data, a chilling testament to the severity of the attack. Christie’s global sales reached approximately $6.2 billion in 2023, and now its clients are at risk of multiple forms of identity theft.
The complaint highlighted Christie’s poor handling of the situation as well. On May 30th, an email from Christie’s to its impacted customers barely revealed any information about the specific perpetrators of the cyberattack. It conveniently omitted essential details like the date on which the cyberattack happened, the means by which it was executed, and the steps being taken to prevent similar incidents in the future. It is not surprising, then, that the clients showed a lack of faith in the esteemed auction house, and chose to go down the legal path.
A Christie’s spokesperson said in defense, “Since the cybersecurity incident occurred, we have been actively monitoring online activity for any mention of Christie’s or our data. As a result, we are aware that a cyber group has made a statement, as yet unverified, claiming that data taken from a limited part of our systems has been sold. We continue to have no evidence that financial or transactional records or copies of documents, signatures, or photographs were taken. We have already notified those clients whose personal identity information was taken. We continue to comply with GDPR [General Data Protection Regulation] and other relevant national and state regulations.”