Auction house Christie's fined £145,000 in South Korea over 2024 data breach incident

South Korea’s data protection regulator has fined British auction house Christie’s an equivalent of £145,000 for failing to protect the information of 620 Koreans during a data security incident in May 2024.

 

The Personal Information Protection Commission announced this week its decision to serve a fine of 287 million won on the auction house for failing to protect the personal information of South Korean nationals during a cyber attack that occurred between May 8 and May 9, 2024.

 

The regulator said that hackers successfully deceived a Christie’s helpdesk employee to share credentials for an employee’s account over a phone call, enabling them to gain access to the auction house’s IT network ahead of an auction event in New York.

 

Once inside the network, the hacker gained access to and exfiltrated vast amounts of stored information, including the personal information of Christie’s customers and clients. The affected individuals included 620 Korean nationals whose names, nationality, addresses and identification numbers were accessed.

 

PIPC noted that the helpdesk employee shared credentials with the hacker without verifying the identity of the caller and also changed the phone number linked to the account with that of the caller. These mistakes enabled the hacker to quickly access the company’s network and access sensitive information.

 

The fact that Christie’s failed to properly encrypt its customers’ personal information also helped the hacker to exfiltrate the data. Aside from these failings, PIPC also found Christie’s guilty of violating the data protection law by failing to report the incident within 72 hours of discovery.

 

In June 2024, Christie’s told U.S. regulators that the data security incident had compromised the personal information of as many as 45,798 individuals residing in the U.S. The affected data included names and other personal identifiers along with driver’s license numbers and non-driver identification card numbers.

 

The infamous RansomHub extortion group claimed responsibility for targeting the British auction house and listed it as a victim on its data leak site. The group claimed to be in possession of sensitive personal data of at least 500,000 of Christie’s private clients. It is unclear if a ransom was paid to regain access to the sensitive data.