Red-handed: opportunistic criminals are always finding new ways to dupe businesses, from ransomware attacks, as in the Christie’s case, to sending bogus invoicesto clients nuclear_lily
More than any sale result, the most memorable aspect of New York’s spring 2024 season has proven to be the cyberattack executed against Christie’s on 9 May, forcing the auction house to radically pare down its website five days before its marquee auction week opened. After restoring its full online presence within ten days, Christie’s told affected clients in an email on 30 May (seen by The Art Newspaper) that the perpetrators acquired no financial details, transaction-related information, photographs or other data beyond various contact details visible on their passport pages or identity cards.
The saga has nonetheless reinforced that hackers pose a serious threat not only to auction houses but to the international art trade at large. This year’s Art Basel naturally raises the question of how vulnerable commercial galleries, art advisers and others are compared to Christie’s. Yet the answer is difficult to know, as the safety of clients’ personal and financial details is a particularly sensitive subject within the private market.
It took Christie’s ten days to restore its website completely after the hack on 9 May Casimirokt/Dreamstime.com
Many dealers, advisers and service providers tell The Art Newspaper that clients rarely, if ever, ask about how their data is protected, and that proprietors are equally reluctant to broach the topic. “The people working in galleries want to talk about art and artists, not about the security of clients’ information,” says James Carroll, the founder of Hacket Cyber, a Syracuse, New York-based company that provides database and software security services to a range of businesses, including some galleries and museums. Anthony Meier, a San Francisco-based gallerist and the president of the Art Dealers Association of America (ADAA), typifies the friction, saying cybersecurity “is a topic we at the ADAA take seriously and consider to be a confidential matter”.
‘Inherently vulnerable’
Galleries and advisories, like auction houses, frequently maintain extensive client files, with home and billing addresses, phone numbers, banking details and credit card information, as well as documentation of art purchased, such as sale prices, images, appraised values and current locations. Irene C. Papanestor, a New York-based adviser, also notes that such confidential data may be spread across a large network in many forms: “The global nature of our business, along with a proliferation of vendors and service professionals—conservators, customs brokers, insurance agents and shippers, to name just a few—yields a lot of footprints. Compliance with EU anti-money laundering regulations can require even more digital paperwork, and a lot of this documentation flows through correspondence as inherently vulnerable email attachments.”
James Carroll, the founder of Hacket Cyber, says that increasingly hackers demand a second payment to prevent them from posting sensitive information Simon Dawson/Bloomberg via Getty Images
The most prevalent cybersecurity threats come in the form of emails containing malware—viruses meant to damage the recipient’s computer systems—and ransomware, through which a hacker can access and encrypt internal files, thereby locking a business out of its own systems unless it pays up. Increasingly, Carroll says, hackers “double dip” by demanding a second payment to prevent them from posting any sensitive information publicly. (RansomHub, the group claiming responsibility for the Christie’s cyberattack, threatened to release confidential client information by 3 June, but there has been no evidence at the time of publication that it has followed through.) Carroll adds that the confusion of being blocked out of one’s own network is compounded in cases where victims “receive a ransom note, often in Russian, and they have to quickly find someone to translate the note so that they know what they have to do in order to retrieve their files”.
Christie’s more recent, more public troubles have overshadowed multiple cyberattacks on dealers in the past few years. Todd Levin, a New York-based adviser, recalls that a number of galleries’ email systems were breached during the depths of the Covid-19 pandemic, leading to their clients being sent what “looked for all the world like perfectly ordinary invoices” for works they were purchasing—only with the bank details changed to reroute the money to accounts controlled by the hackers. Some collectors, he says, lost hundreds of thousands of dollars in the swindle. “I now warn clients, before they make a payment, to call the gallery and speak with someone to confirm all the information,” he says. “It only takes two minutes. You don’t want to be phished.”
A similar scam made headlines in the art trade in 2017, when hackers infiltrated the email accounts of at least nine galleries to try to intercept payments. Some, such as Hauser & Wirth, say they were able to avoid any financial losses; others, such as Thomas Dane Gallery and Simon Lee Gallery, lost only small sums. Less fortunate was Laura Bartlett, whose London-based gallery closed for good shortly after she and a client struck a major deal for a group of works—but were unable to recover the funds unwittingly sent to the hackers who had invaded their email correspondence.
Although Christie’s has what its spokesperson calls a “team of technology experts” overseeing digital resources, most auction houses rely on third-party firms to register clients for sales and provide remote bidding and payment infrastructure. Similarly, galleries typically “don’t have a dedicated IT person whose job it is to monitor the online systems”, Carroll says.
Password protected?
Instead, they frequently outsource their cybersecurity needs—such as installing updates or patches to software, creating new passwords and removing malware—to external IT companies. Lucy Mitchell-Innes, the co-owner of New York’s Mitchell-Innes & Nash, says her gallery relies on outside “tech guys” to keep everything safe, including by implementing computer systems with “layers of protection”, such as multifactor authentication to log on to the gallery’s systems and password-protected invoices.
Company-wide protocols for handling suspicious emails and links are also key to preventing breaches, Carroll says: “Like a fire drill that trains kids in school [on] what to do and where to go if there is a fire, gallery staff need to be trained in what they are supposed to do and who they are supposed to call.”
Cybersecurity insurance is also available to the art trade at large, but the number of individuals and companies that purchase it is “quite low”, says Ellen Hoener Ross, the managing director of fine arts at Gallagher, which provides general insurance coverage to around 1,000 galleries and nonprofits. Partly responsible for the sparse buy-in rate, she adds, is that galleries are only eligible for cybersecurity policies if they first have certain protocols in place, such as firewalls, dual-identification systems and methods of verifying vendor information before making payments.
The limited size and scope of most dealerships may give owners a false sense of security. “We’re such small potatoes,” says the New York gallerist Nancy Hoffman. “We have just one location, not like some galleries with locations all over. I’m not sure we’re worth any hacker’s time.” Jamie Boote, a principal security consultant at the Software Integrity Group at Synopsys, a California-based company that locates and patches vulnerabilities in businesses’ IT systems, calls this “security based on obscurity”.
Still, having a compact operation is no panacea. The New York-based adviser Candace Worth, who typically has no more than two full-time employees, says the email account of her registrar was hacked a few years back. Fortunately, the breach was detected and remedied early, after a client noticed irregularities in the payment instructions on an invoice. Worth adds that she limits the risks to her clients and her business by refraining from storing banking information on her computers; after all, hackers cannot manipulate or ransom what has never been digitised.
Ultimately, Boote says, cybersecurity improvements are made in response to “client demand, government regulations and breaches like the one at Christie’s that bring attention to the problem”. In this sense, the auction house’s nightmare could be the wake-up call the rest of the trade needs.