Blog Subscription via

May 16, 2024

Thursday, May 16, 2024 - , No comments

Rising Threats in the Art Market's Cybersecurity Landscape

While Christie's website continues to state “We apologise that our full website is currently offline” redirecting visitors to a temporary page outside of its own web domain, its auctions have managed to continue at a healthy pace.  Market players have underscored the auction house's fine art of resilience since the May 11th incident which occurred just days before the firms scheduled $840M art mega-auction. 

But while the art world's show must go on, tech security experts and the general public would like a little more information.

In its second cyber attack in less than a year, Christie’s assured its clients that its auctions would proceed, with bidders being able to participate in person, by phone, or through Christie’s Live platform.  But the auction powerhouse released no information regarding what systems had been impacted, just that they were working to resolve the situation with a team of internal and external technology experts to resolve this matter as quickly as possible.  Company CEO Guillaume Cerutti referred to the kerfuffle as a “technology security incident” but said nothing about whether or not financial or other sensitive data tied to Christie’s clientele had been compromised. 

Despite the web outage, Vojtěch Kovařík's
‘Hercules with his head in his hand’
sold for $94,500 on May 15th. 
In July 2023 Zentrust Partners alerted Christie’s to an earlier security breach which included sensitive location metadata being accessible from some uploaded photos.  This oversight is believed to have revealed the exact whereabouts of art owned by a percentage of the auction house’s wealthiest collectors,  potentially compromising their privacy and security by allowing access to data which identified the locations of where artworks had been photographed. Within a month, the auction house had enhanced their cybersecurity measures and offered its affected clients support and guidance on mitigating potential risks resulting from the breach.

In 2014 the Syrian Electronic Army hacked Christie's website, as well as 23 other sites including Forbes, The Chicago Tribune, Ferrari, the Independent, and the Daily Telegraph.  In this instance hackers attacked vulnerable sites accessing the Gigiya CDN and injecting a Javascript code which caused all the sites to display a specific  popup, drawing attention to the group's cause  Not engineered to inflict damage, the disrupters signed off with a postscript saying “PS: We would never attack users or damage systems. It was just a message.”

Its worth recalling that on October 29, 2023 the British Library experienced a technology outage with the library issuing a statement very similar to the one issued this month by Christie's CEO.  In that incident, library management described the incident as “a technology outage.”  

The British Library's incident turned out to be a highly sophisticated and disruptive cyberattack by the Rhysida ransomware group which continues to impact the institution's website, online systems, and services, as well as some onsite services, even today.  Like in the Christie's incident, the library was also forced into the position of having to set up a temporary website.  

The Rhysida ransomware group is believed to have originated from a collective of cybercriminals with extensive experience in malware development and network infiltration. Its ransomeware, debuted in mid 2023 and is distinguished by its advanced evasion techniques. 

To attack vulnerable systems, Rhysida utilises obfuscation methods to avoid detection by traditional antivirus and anti-malware solutions.  It is characterised by its rapid encryption process followed by the deployment of ransom demands.  

To access the system, Rhysida primarily exploits vulnerabilities to the systems through phishing attacks and other social engineering tactics.  Once inside, the malware renders its target's critical data inaccessible. 

Another distinguishing feature of the Rhysida group is their use of double extortion. Beyond encrypting data, they exfiltrate sensitive information and threaten to publish it unless a ransom in cryptocurrency is paid in exchange for the decryption key. The malware’s encryption algorithm is robust, and often leaves compromised victims with no choice but to pay the ransom or face significant data loss.

While the root cause of this recent Christie's outage has not been released, high impact incidences like these highlight vulnerabilities within the digital frameworks of important cultural institutions, as well as high-value asset transaction sites in the art market where customer names, accounts, banking details, and credit card information are ubiquitous to the online bidding process.