Auction house Sothebyās says it was breached on July 24, and those behind the intrusion stole an unspecified amount of data, including Social Security numbers and financial account information.
The multinational broker of fine art and luxury items said it is not aware of who was behind the attack, but confirmed in a filing with the stateās Attorney Generalās Office this week that two Maine residents were affected by the breach.
The Register asked the auctioneer for more information about the total number of people affected, whether these were staff and/or clients ā many of whom are high and ultra high net worth individuals ā and whether an extortion demand was made.
In a letter to those affected on Wednesday, Sothebyās said the attackers broke in despite the company regularly patching systems and testing its incident response plans.
The letter reads: āWe have administrative and technical safeguards in place that protect information through layered defenses, strict access controls, secure connections, and advanced threat protections.
āWe regularly patch systems, test our internal incident response plans, back up critical services, vet our vendors, and train our workforce to ensure security is built into how we work every day.
āAs part of our ongoing commitment to the privacy of information we will continue to review these safeguards and consider further enhancements to ensure the ongoing safety of information on our systems.ā
The London-founded, New York-headquartered company is offering affected individuals 12 monthsā worth of credit and identity monitoring services through TransUnion, as is customary following US cyberattacks that involve data theft.
The Register has scanned every stateās data breach reporting portal for similar filings but at present Sothebyās has so far only reported the breach to Maineās AG.
Sothebyās is the second auctioning giant to be targeted by cybercriminals in as many years. Christieās was raided by RansomHub in May 2024, but avoided a leak of its data after the group claimed they found a buyer via a private auction.
Capita fined Ā£14M after 58-hour delay exposed 6.6M records
Asahi breach leaves bitter taste as brewer fears personal data slurped
Oracle rushes out another emergency E-Business Suite patch as Clop fallout widens
Scattered Lapsus$ Hunters rage-quit the internet (again), promise to return next year
While it would have been a fitting end to the incident, experts suspected the group, which took over the ransomware mantle after LockBitās demise, was unlikely to sell the data.
āAuctioning rather than leaking data is not new, but relatively rare, with little evidence that this results in a payout for the criminals,ā Don Smith, Vice President Threat Research at Sophos, told The Reg last year.
āConsidering ransomware as a business, up front you expend effort, in the expectation of a later payout. If Christieās have made it clear they are not going to pay, releasing data draws a line on the incident with no benefit to the bad guys. Auctioning is a last-ditch attempt to achieve a payout. Auctions are more likely to be successful where the victim has a meaningful brand or thereās some expectation the data has real value.
āIt is easy to think of ransomware gangs in the abstract, the reality is these are people, with human emotions and frailties. Auctioning Christieās data may be little more than an amusing irony to the RansomHub operators.ā
There is also the possibility that the amount or quality of data RansomHub stole was not impressive enough to leak, and feigning an auction was more of a face-saving exercise. Ā®
