Cyber-Attack Disrupts Christie’s $840M Art Auctions

Written by

A cyber-attack has disrupted auction house Christie’s attempts to sell art and other high-value items worth an estimated $840m. Among the items up for auction are a Vincent van Gogh painting valued at $35m and a rare wine. 

The cyber-attack has taken Christie’s website offline, possibly last week, preventing potential buyers from viewing the lots online.

“Anywhere there is money somewhere on the internet, attackers have been exploiting vulnerabilities to their benefit,” said Jamie Boote, associate principal consultant at the Synopsys Software Integrity Group.

“This is far from the first auction-related attack. There’s even a class of exploits known as ‘eBay Attacks’ where attackers used to exploit the five-minute account lock-out to freeze out other bidders from raising the prices on goods they wanted to win. This was because eBay used to list the account names of other bidders, and all the attacker had to do was enter in the displayed user name and a wrong password 3-5 times in succession, and that user wouldn’t be able to log in and bid.”

Despite this setback, the auction house says bids can still be placed through phone and in-person channels. 

Christie’s CEO, Guillaume Cerutti, shared the news of the attack on LinkedIn on Monday, describing the incident as a “technology security incident” and assuring that it has established protocols to manage such situations. 

“We are managing this incident according to well-established practices supported by experts in the field. We have made proactive decisions – including taking our main website offline,” reads the post.

Read more on security practices: Data Security Best-Practice in a World of Evolving Risks and Regulations

As a result of the attack, the sale of a collection of rare watches, including those owned by Formula 1 star Michael Schumacher, has been delayed. However, the auctions are proceeding, with some events rescheduled. 

“While Christie’s asserts that their protocols are ‘regularly tested,’ this incident is a critical reminder for all organizations to not only test their defenses but also to simulate real-world attack scenarios to truly gauge their resilience,” warned Javvad Malik, lead security awareness advocate at KnowBe4.

“These tests shouldn’t just be conducted in isolation against IT systems but should also test the people and procedures that they follow.”

Despite the website outage, basic information about the auction items can be accessed via an alternative website provided by Christie’s.

Image credit: Alena Veasey / Shutterstock.com

What’s hot on Infosecurity Magazine?