Hackers Target Art Market, But Buyers Are Safer Than They Think

It was complete chaos. “The art sales team was locked out of their inventory, halting their sales,” Steve Pincus Sr., managing director of insurance firm Risk Strategies, told the Observer. The hacker was holding the gallery’s data by hacking into its systems and encrypting the files, agreeing to decrypt them only after payment—in other words, the gallery was facing a ransomware attack. “Once the ransom was paid and access to the system was restored, it took several months to ensure that the existing data was not used in any way.”

Until the data was verified, it was effectively useless. Currently, the sales team has not been able to access the inventory. “They didn’t know what works were sold, for how much, or any other data related to any individual artwork,” Pincus added. The sale was lost, and the gallery filed what is known as a Business Interference claim.

Fortunately, the gallery had taken out an internet policy that covered business interruption, and the insurer paid out a claim in excess of seven figures. This is not just a story about the value of business insurance, however, but about the risks that individual dealers, galleries and auction houses face from hackers looking for sensitive customer data, including names, addresses, jobs, credit card numbers, bank accounts and passport numbers—everything that customers provide to buy and sell at the highest levels of the commercial art world.

“We’re under constant attack — weekly if not daily,” Sam Spiegel, chief technology officer at Heritage Auctions, told the Observer. Corporate security systems generally blunt such attacks, although the occasional hacker does break through. In 2019, a ransomware attack took its website down for several days, but Heritage had backups in place and did not lose any data. More importantly, it did not have to pay a ransom. There have also been denial-of-service attacks, where a hacker floods a target machine or resource with unnecessary requests to overload systems and prevent legitimate traffic from being processed. “We had a few of those, the last one in 2021, but it took a few minutes. We were able to get things back up and running.” Credit goes to the auction house’s savings systems, security failures and redundancy, as well as its use of multiple third-party payment platforms where all client financial data is processed.

Spiegel did not leave the world of technology. He graduated from the University of Chicago with a degree in antiquity and history and joined Heritage in 2013 as part of the auction house’s World & Ancient Coins department. His first foray into the online world was creating a modern and ancient coin index that provided customers with values ​​and historical context. Technology is something he learned along the way. He agreed, a thankless job, as most customers don’t think about data security until something goes wrong. “We can put out a press release saying ‘Nothing bad happened this week,’ but our customers don’t even want to know that anything bad could happen.”

The possibility is never far from the minds of those tasked with protecting against known and unknown threats. Joshua Eldred, president of Eldred’s auction house, experienced two ransomware incidents in what he now calls “the old days,” before the company started using a third-party payment platform—Authorize.net—to handle transactions. “We’re taking everything out,” he told the Observer. “We have no sensitive information in our system.” The storage and protection of sensitive client information is left to firms whose core business is protecting against cyber attacks, allowing the auction house to focus on selling. Many similar service companies work with galleries and auction houses, with new ones appearing regularly, including Bidpath, Stripe, Square, Chase PaymentTech, Dwolla, AliPay, AuctionPay, Plaid and PaymentCloud. However, Authorize.net does not exempt Eldred from the need for monitoring. Employees are trained to spot phishing attempts, and employee behavior is reviewed periodically. “We tell the staff, ‘don’t click on anything unless you know where it’s coming from.’

Cybersecurity is not something auction houses are eager to talk about publicly. “If I say that we have never been robbed, that may lead the robbers to target us, so no thank you,” said the CEO of a certain auction house who did not want to be named. Few buyers or shippers ever ask about security procedures. A spokesperson for Sotheby’s said the auction house “takes strong steps to protect our systems and data by regularly reviewing our security policies and improving our monitoring capabilities to better protect our customers and their valuable information.” A Phillips spokesperson said the auction house “remains focused on strengthening our defenses as digital interactions with our auctions continue to grow.”

The worst case scenario occurred at Christie’s in May 2024, when the auction house experienced a ransomware attack that lasted 10 days, resulting in an undisclosed amount being paid to hackers and a $990,000 class-action settlement for nearly 45,700 people.

All economic sectors of the arts are vulnerable to hackers, of course. There have been security breaches at museums across the US, including the Smithsonian Institution in Washington, DC, the Parrish Art Museum in Southampton, New York, the Museum of Fine Arts Boston, the Frances Lehman Loeb Art Center at Vassar College in Arlington, New York and the Crystal Bridges Museum of American Art in Bentonville, Arkansas, as well as many for-profit companies. In 2020, online art marketplace LiveAuctioneers was hit by a data breach affecting 3.4 million buyers and sellers, exposing names, email addresses and addresses, phone numbers and encrypted passwords.

Galleries are at greater risk because “they don’t have a dedicated IT person whose job it is to monitor Internet systems,” said James Carroll, founder of Hacket Cyber, a Syracuse, New York-based company hired by large and small businesses, including galleries and museums, to assess the security of their information and other applications. “People who work in galleries want to talk about art and artists, not about the security of customer information.”

Galleries also tend to outsource client data storage and rely on security software that may or may not be kept up to date. Cristin Tierney, a gallery owner in New York City, told the Observer that “we do not store customers’ financial and banking information on our website,” adding that “all employees are asked to change their passwords periodically.” He said the gallery has never experienced a breach; maybe those steps are enough.

The Art Dealers Association of America in Manhattan serves as a clearinghouse for its members, disseminating warnings about active scams, fraud patterns and emerging cybersecurity risks so galleries can take appropriate precautions. Kinsey Robb, the agency’s executive director, said “as the art trade is increasingly digital, cybersecurity has changed from an office concern to a core operational issue. Our focus at ADAA is on education and timely information sharing, helping the gallery stay on top of emerging risks and contributing to broader discussions about internal cyber processes, part of commercial insurance training will no longer be able to address commercial issues. risks. of the Internet, but how the field is adapting as those risks continue to emerge.”

To qualify for cybersecurity insurance, one high-profile art insurer said, galleries must have “actionable procedures,” including “firewalls and two-factor authentication systems,” and processes to verify seller information before making payments. Some galleries take the process seriously, while others think that the third-party companies they use will keep them safe.

“A well-informed bidder is a confident bidder,” Spiegel said, defining a well-informed person as someone who understands the quality and quantity of the items they are considering. That confidence can be eroded if consumers worry that the personal data they provide when signing up for a sale is not secure. “Treasures is a technology-driven company, and we have the largest IT department of any auction house,” many of whose employees monitor emails for phishing and, more recently, AI-driven scams where bots impersonate customers. “AI is definitely the next wave of cyber attacks,” which will no doubt keep him and his colleagues in auction houses and showrooms busy for the foreseeable future.

More for art collectors