Its disclosure came after RansomHub claimed responsibility for the cyberattack and threatened to release client data on the dark web.
The auction house Christie’s said Thursday that it had alerted the Federal Bureau of Investigation and the British police about the cyberattack that hobbled its website earlier this month, and began telling clients what types of personal data had been compromised.
The company said in an email to clients that neither their financial data nor any information about their recent sales activity had been exposed in the hack. But it said that some personal data from clients’ identification documents had been compromised.
“The personal identity data came from identification documents, for example passports and driving licenses, provided as part of client ID checks, which Christie’s is required to retain for compliance reasons,” Jessica Stanley, a Christie’s spokeswoman, said in a statement on Thursday morning. “No ID photographs, signatures, email addresses or phone numbers were taken.”
It was the first time that Christie’s officials had detailed to the public what kind of information the hackers might have acquired from its records on some of the world’s richest art collectors. The admission came a few days after a group called RansomHub took responsibility for the cyberattack and threatened to release its findings on nearly 500,000 clients of the company. Previously, the auction house referred to the cyberattack as a “technology security incident” and attempted to calm anxious bidders with a temporary website despite serious concerns among some employees.
The company’s efforts to downplay the importance of the cyberattack were largely successful with bidders. Its marquee spring auctions, which got underway shortly after the hack, netted sales worth $528 million.
RansomHub, which took responsibility for the Christie’s hack, wrote on the dark web that “we attempted to come to a reasonable resolution with them but they ceased communication midway through” and threatened to begin releasing data.
Christie’s said in its email to clients that it had notified the relevant law enforcement authorities in Britain and the United States. Law enforcement officials did not immediately respond to a request for comment.
In its email to clients, Christie’s urged people to check their accounts for any unusual activity and wrote that it would be offering them “complimentary identity theft protection and monitoring services.”