British auction house Christie's is notifying individuals whose data was stolen by the RansomHub ransomware gang in a recent network breach.

Christie's discovered that it was the victim of a security breach that affected some of its systems on May 9, 2024. After becoming aware of the event, Christie's took measures to secure its network and hired external cybersecurity experts to help investigate the incident's impact.

The auction house says it also notified law enforcement and is now working to support their investigation. 

While analyzing the breach, Christie's found that a threat actor who breached its systems accessed and extracted customer files between May 8 and May 9.

Following the investigation, Christie's reviewed the accessed files to identify individuals whose information may have been affected, obtain their contact information, and alert them of the incident after completing the review on May 30.

The data breach notification letters sent to affected individuals state that the auction house is "not aware of any attempts to misuse your information as a result of this incident."

"We took additional steps to secure our systems and continue to evaluate technical and organizational measures to avoid the reoccurrence of a similar incident," Christie's added [PDF].

The auction house is also offering impacted people a free twelve-month subscription for the CyEx Identity Defense Total identity theft and fraud monitoring service, which will alert them of changes to their Experian, Equifax, and TransUnion credit files to spot any potentially fraudulent activity on their credit reports.

Claimed by RansomHub

While Christie's didn't name the attackers behind the May breach, the RansomHub gang added the auction house to its dark web leak portal, claiming it had breached its systems and stolen sensitive client data.

The cybercriminals claimed to have exfiltrated the full names, addresses, ID document details, and various other sensitive personal information of at least 500,000 Christie's clients.

RansomHub has since updated the Christie's entry, saying they've sold the stolen data on their own auction platform. 

The day the extortion hub claimed the Christie's breach, a spokesperson reported that attackers had breached the company's network and stole a limited amount of personal data belonging to some of its clients.

The company also says that they found no evidence that any financial or transactional records were compromised during the incident.

RansomHub is a relatively new operation that demands ransom payment from victims in exchange for not leaking files stolen during attacks. If negotiations fail, it often auctions the stolen files exclusively to the highest bidder.

While the ransomware gang was identified as a potential buyer of Knight ransomware source code, they hardly ever encrypt files during their attacks, focusing instead on data-theft-based extortion. 

Recently, RansomHub claimed the breach of leading U.S. telecom provider Frontier Communications, which had to shut down its systems in April to contain a cyberattack. The company warned 750,000 customers this week that their information was exposed in a data breach.