What Buyers and Sellers Need to Know About Art Auction Security in the Age of Cyberattacks
The recent cyberattack targetting Christie’s, which took its website down and may have impacted other systems, has sent jitters through the auction world. Christie’s did successfully hold its scheduled Marquee Week sales in the U.S. and abroad—the 20th Century Evening Sale brought in $413.3 million— but the security breach, which the auction house continues to refer to as simply a “technical incident,” has not been fully resolved. According to one company spokesperson, a “team of technology experts” have been “determining the scope and impact of this incident.” He added that Christie’s has “communicated to our clients and are keeping them informed. Our focus remains on minimizing disruption to them.”
Christie’s and its clients will weather this storm, but a question lingers: if a top-end auction house is at risk of this type of techno interference, what might other, smaller players in the industry—and their buyers—face?
“We’re all subject to crazy things these days. It makes us very nervous,” Sandra Germain, owner of Shannon’s Fine Art Auctioneers in Connecticut, told Observer. “Christie’s was targeted right before a big sale. That’s quite disturbing.”
Other professionals in this space shared similar feelings of anxiety. “In today’s digital landscape, there are malicious actors who pose threats,” offered Jay Frederick Krehbiel, executive chairman of Chicago-based Freeman’s/Hindman auction house. “Sadly, as we have seen time and again, and despite our and our peers’ best efforts, no system—whether run by a business or government body—is impenetrable.”
A spokesman for a New York City auction house that did not want to be named likened the security breach at Christie’s to “living in a neighborhood, and down the block someone’s house is broken into. It makes you wonder, am I next?”
“What happened at Christie’s and worries that it could happen to us have caused us a lot of anxiety,” said Georgina Winthrop, president and owner of Grogan and Company, an auction house in Boston. “This is very much top of mind.”
It’s about more than optics. Those seeking to buy or sell at auction have long been required to provide sensitive information beyond name and address—job titles, banking information, credit card numbers, social security numbers, passport numbers and scans of identifying documents—as a way of verifying their identities and to comply with anti-money laundering statutes. All that information can be a source of temptation for enterprising hackers looking for wealthy targets, and these criminals tend to cast a wide net. In 2020, the online art and collectibles marketplace LiveAuctioneers suffered a data breach that affected 3.4 million buyers and sellers.
“We feel we are living in a more dangerous world,” Paul Minshull, chief operating officer at Heritage Auctions, told Observer, but added that this is nothing new. “Attacks are never-ending. We see constant probing by the hackers, and we try to detect attacks as soon as possible.”
How auction houses handle cybersecurity
Many, if not most, auction houses outsource cybersecurity. Grogan and Company, for one, leaves the technical side of their business to the experts—the company has cybersecurity insurance and outsources its information technology operations to a local IT company while its website is hosted by Invaluable, the online auction marketplace. Many other auctioneers do the same. Drouot, an auction house in France, relies on PCI DSS (Payment Card Industry Data Security Standard), which is based in Wakefield, Massachusetts, according to spokeswoman Sophie Dufresne, who reiterated that the firm “keeps a close eye on data security.”
It’s also common for auction houses to contract with third-party operators, e.g., Bidsquare, Proxibid, LiveAuctioneers, Invaluable or ChasePaymentech, to register prospective buyers and provide the channels for remote bidding. These companies segment client information into different areas of their networks, so if data were intercepted in a breach, hackers would find it difficult to piece together any one client’s information. Additionally, these companies have their own private cloud computing systems, making them less susceptible to risks on the public clouds.
Like Christie’s, Heritage has developed its own security software. It currently has two full-time security staffers monitoring its systems for breaches and attempted hacks.
According to Minshull, there are more than 3,000 attacks on Heritage’s computer system every day. “These are attempts to access our network.” Video game auctions have proven to be the most popular sales targetted by cyberattackers and, “in one sale, we had 10,000 probes a second.” Emails containing malware are frequently where attacks begin, requiring regular training of auction house staff. “The weakest link in any security system is the people,” and the security staff routinely send “phishing” emails to staff members to test if employees are following company protocols. Minshull noted that Heritage also monitors its vendors for vulnerabilities that need to be secured.
The practical risks auction houses face involve the potential compromise of sensitive client information. A more ambiguous but equally fraught concern is the threat to a firm’s reputation a successful attack can pose. The major auction houses have built up good standing in the art and collectibles fields over a century or more, but just one significant data breach or system incursion could prompt clients to look elsewhere to buy and sell.
People more than systems tend to be the weak links in cybersecurity; hackers often gain access to sensitive information not via brute force attacks but via weak passwords, pilfered hardware or successful phishing attempts. Third-party vendors represent another point of vulnerability. The hackers who broke into Target’s systems in 2014, thereby gaining access to customer credit card information, did so by stealing the network credentials of a Philadelphia-based refrigeration, heating and air conditioning subcontractor that had also done work for BJ’s, Trader Joe’s and Whole Foods.
Sometimes the best way to protect sensitive information is to not have it on hand for attackers to steal. Shannon’s Fine Art Auctioneers limits the exposure of its clients’ personal information by not keeping it on file, according to Germain. “We don’t want to be responsible for credit card and wire transfer information, so we get rid of it immediately.” She noted that some clients “send us emails with their credit card numbers. We tell them not to do that, and then we delete those emails.”
The more recent May 9 attack leveled at Christie’s resulted in the downing of the auction house’s website, making it impossible for prospective buyers to view lots in its major spring sales or make bids through the site, although bidding still took place in-person and via phone. Yet only one of the scheduled sales, an auction of watches in Geneva, Switzerland, was postponed, and that was just for one day. The Marquee Week sales occurred on schedule, with essentially no interruptions.
“The fact that Christie’s was able to respond effectively so quickly to its security breach indicates that people there have thought about and planned for these situations,” Allen Blount, national product leader for cyber and technology for Boston-based Risk Strategies, told Observer. His company provides cybersecurity insurance for a growing number of auction houses, art galleries, art advisories and appraisers, and it has handled “scores of claims” based on those policies. “As the industry becomes more digital, you see more phishing attempts,” he said, most often in the form of malware embedded in an email that a staff member mistakenly opens.
“You’re going to get hacked, we accept that,” he added. “The real issue is how to mitigate the losses.”
SEE ALSO: How Nations Around the World Deal with Art Forgeries
The Shannon’s strategy of deleting information before it can be swiped by cybercriminals notwithstanding, the data that bidders and consignors provide auction houses usually needs to be stored somewhere and that means it needs to be encrypted. Art collectors doing business with auctioneers (or art galleries, art advisors or even appraisers) should be proactive about asking these businesses how their information is kept safe. They should also inquire whether there is an emergency plan in the event of a cybersecurity breach. Of course, judging the degree to which information is adequately protected probably is beyond most auction buyers—and companies don’t necessarily have to notify customers impacted by cyberattacks.
A 2005 New York law, updated in 2013, requires individuals and companies doing business in the state to disclose any breaches of computerized data to the state attorney general’s office, as well as to the state police and Division of Consumer Protection, and they also must notify affected customers. The European Union has a similar rule for its member nations, the General Data Protection Regulation, which took effect in 2018. But much of the time, information about which companies have had data security breaches is not made publicly available, and buyers and sellers who ask the staff at auction houses about cybersecurity can only hope for informed and understandable answers.
Auction houses aren’t the only targets, of course. Security breaches have taken place at numerous museums in the U.S. (e.g., the Smithsonian in Washington, D.C.; Parrish Art Museum in Southampton, New York; Corning Museum of Glass in Corning, New York; the Museum of Fine Arts, Boston; the Rubin Museum of Art in New York; Frances Lehman Loeb Art Center at Vassar College in Arlington, New York; and the Crystal Bridges Museum of American Art in Bentonville, Arkansas). High-profile for-profit companies outside the art world (Home Depot, JP Morgan Chase, Anthem Blue Cross, Sony Pictures, Staples, Michaels and Community Health Systems, to name just a few) have been the notable targets of large-scale attacks, which is not particularly reassuring but does offer some perspective.
Auction houses aren’t any more of a target for hackers than other companies, Minshull said. In other words, Christie’s probably wasn’t targetted specifically because of its clients’ wealth or prestige or art holdings. “It’s a business for these people, trying to find a company with the ability to pay a ransom,” he explained. “Employees go to a desk and are given a list of companies to try to hack, and when their shift is over, another person goes to the same desk and starts in.”