Christie’s hit with class action lawsuit over exposure of clients’ personal data in cyberattack

The fallout of the cyberattack against Christie’s is intensifying. A client of the international auction house filed a class action complaint in the Southern District of New York yesterday (3 June) over Christie’s inability to protect the “personally identifiable information” (PII) of what are estimated to be at least 500,000 current and former bidders registered in its databases.

The complaint requests damages, including of the “actual, nominal, statutory, consequential and punitive” varieties, in an amount to be determined in a jury trial, as well as the payment of the plaintiff’s legal expenses. It also seeks court orders that would require Christie’s to undertake a long list of actions related to its client data and information security, including encrypting large tranches of its business-related data, removing sensitive personal information on its clients from cloud-based storage and conducting regular tests of its data security measures.

The only plaintiff currently named is Efstathios Maroulis, who the complaint defines only as a resident and citizen of Dallas, Texas. At the time of writing, a LinkedIn profile matching Maroulis’s name and locale listed its owner as the vice president and general manager of dental analytics and patient experience at a subsidiary of Henry Schein, a publicly traded, US-based supplier of dental and medical supplies.

A Christie’s spokesperson declined to comment on the lawsuit, citing the auction house’s policy on abstaining from public discussions of litigation. Milberg Coleman Bryson Phillips Grossman, the law firm representing Maroulis, had not responded to a request for comment by publication time. A message to the LinkedIn profile believed to belong to Maroulis also went unanswered.

From the dark web to data brokers

The complaint portrays the breach as “a direct result of [Christie’s] failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect consumers’ PII from a foreseeable and preventable cyberattack”. It goes on to allege that “data thieves have already engaged in identity theft and fraud and can in the future commit a variety of crimes” with the purloined information, which is now known to include customers’ full names, genders, birthdates, birthplaces and a variety of information from the identification pages on their passports, such as document numbers, expiration dates, issuing countries and barcode-like “machine-readable zones” (MRZs).

RansomHub, a network of hackers, claimed responsibility on 27 May for the cyberattack on Christie’s. The group said it would release the stolen data on the dark web unless the auction house paid an undisclosed sum before mid-day on 3 June; the deadline passed without any evidence of further action on RansomHub’s part, according to Bloomberg. The group also threatened to hold an auction for Christie’s data shortly after it took credit for the breach, though the outcome of that measure—or whether it happened at all—remained unclear by publication time.

Nonetheless, Christie’s clients are now threatened by multiple forms of identity theft, according to Maroulis’s lawsuit. These range from the obvious, such as the prospect of bad actors opening fraudulent financial accounts and taking out loans in the names of the exposed clients, to the less intuitive, including using the exposed parties’ data to illegally secure government benefits, acquire driver’s licences pairing Christie’s clients’ names with alternate photographs and “giving false information to police during an arrest”.

These risks may seem exaggerated to sceptics who have read the now-widely-circulated email sent by the auction house to affected customers on 30 May. Although Christie’s verified the exposure of the types of personal information later referenced in Maroulis’s lawsuit, the firm stated that the hackers acquired no financial details, transaction-related information, photos, signatures or additional contact information related to its clientele.

Yet Maroulis’s complaint complicates this picture somewhat. It describes how hackers with at least two forms of personally identifiable information can “marry” those illegally acquired details with data publicly available elsewhere to “assemble complete dossiers on individuals” with “an astonishingly complete scope and degree of accuracy”. These fleshed-out packages, called “fullz” in hacker circles, typically bring considerably higher prices on the dark web than partial records thanks to their considerably higher utility in perpetrating identity theft.

Beyond these malicious possibilities, the lawsuit expands the scope of alleged harm in a new and somewhat curious direction: that of legitimate data brokers, or intermediaries who aggregate and sell legally obtained information on potential customers to other businesses. The complaint alleges that data brokering comprises a $200bn market—and that Christie’s clients can no longer voluntarily sell their personal data in it at full value because that data has already been exposed by the RansomHub breach. Worsening the alleged injury, information on the auction house’s customers “may also fall into the hands of companies that will use [it] for targeted marketing” without their approval.

Disclosure and diminishment

The complaint takes aim at Christie’s communications with its clientele after the breach, too. The lawsuit argues that the 30 May email from Christie’s to its impacted customers omitted any information about the specific perpetrators of the cyberattack, the date on which it occurred, the means by which it was executed and the steps being taken to prevent similar incidents in the future. After adding that the auction house provided no additional details on these matters before the filing, the complaint states: “This ‘disclosure’ amounts to no real disclosure at all.”

Furthermore, it accuses the auction house of failing to follow up with the impacted clients to see if their data had been misused in any way since the breach, neglecting to say whether such misuses should be reported to Christie’s and declining to provide any mechanism to report these problems. The plaintiff alleges that being kept uninformed on the above fronts leaves the auction house’s customers “severely diminished” in their capacity to limit the harm that might be done to them as a result of the breach.

(In the 30 May email, Christie’s noted that it had reported the breach to “all relevant authorities”, including the UK police and the FBI, as well as “relevant data protection regulators globally”; it also offered all affected clients in eligible jurisdictions one year of identity theft and data monitoring services at no cost.)

The purported harm done to Christie’s clients becomes personalised late in the filing, where Maroulis alleges that he has received an increased number of spam calls, texts and emails since the cyberattack. He is described as “very careful about sharing his sensitive PII”—so much so that he “would not have entrusted” it to the auction house had he known of its “lax data security policies”. The complaint states that, for Maroulis and the rest of Christie’s customers, “time is highly valuable and irreplaceable”, meaning their attempts to safeguard themselves from the consequences of the cyberattack have already resulted in actual losses.

The breach has also, according to the complaint, caused Maroulis “to suffer fear, anxiety and stress, which has been compounded by the fact that [Christie’s] has still not fully informed him of key details about the data breach’s occurrence”. It remains to be seen how many of the auction house’s other clients will express similar feelings by joining the class action in the days and weeks ahead.