Auction house Christie's said Thursday it had notified the Federal Bureau of Investigation and British police about a cyberattack that disrupted its website earlier this month and had begun informing customers about what personal information had been compromised.
In an email to customers, the company said the hack did not expose customer financial data or information about recent sales activity, but it did say some personal information on customer identification documents was exposed.
“Personal information was obtained from identification documents such as passports or driver's licenses provided as part of customer identity checks, and Christie's is required to retain these documents for compliance reasons,” Christie's spokeswoman Jessica Stanley said in a statement Thursday morning. “Photos, signatures, email addresses or phone numbers from the identification documents were not taken.”
It was the first time that Christie's officials had publicly disclosed what information hackers may have obtained from the company's records about some of the world's wealthiest art collectors. The admission came days after a group called Ransomhub admitted responsibility for the cyberattack and threatened to make public its findings on about 500,000 of the company's customers. Previously, the auction house had called the cyberattack a “technology security incident” and tried to calm anxious bidders with a temporary website, despite serious concerns from some employees.
The company's efforts to downplay the significance of the cyberattack were largely successful with bidders: its flagship spring auction, which began shortly after the hack, brought in $528 million.
Ransomhub, the company responsible for the Christie's hack, wrote on the dark web that “we tried to reach a reasonable settlement with them but somewhere along the line they lost contact” and threatened to start releasing the data.
Christie's said in an email to clients that it had notified relevant law enforcement agencies in the UK and the US. The agencies did not immediately respond to a request for comment.
In an email to customers, Christie's urged them to check their accounts for any anomalies and said it offered “free identity theft protection and monitoring services.”