Hackers Will Never Stop Targeting the Art Market, But Buyers Are Safer Than They Think
Auction houses (and some galleries) are investing heavily in layered back-up systems, redundancies and third-party payment platforms to reduce exposure to cyber threats.
It was an absolute mess. “The art dealer’s sales team was locked out of its inventory information, freezing their sales transactions,” Steve Pincus Sr., managing director of insurance brokerage firm Risk Strategies, told Observer. A cybercriminal was holding the gallery’s data hostage by hacking into its systems and encrypting the files, agreeing to decrypt them only after payment—in other words, the gallery was dealing with a ransomware attack. “Once the ransom was paid and system access was restored, it still took several months to be sure that the existing data was not manipulated in any way.”
Until the data was verified, it was effectively useless. In the meantime, the sales team could not access inventory. “They didn’t know what works were for sale, for how much, or any other data related to any individual work of art,” Pincus added. Sales were lost, and the gallery filed what is known as a Business Interruption claim.
Fortunately, the gallery had taken out a cyber policy that covered business interruptions, and the insurer paid out a claim exceeding seven figures. This is not simply a story about the value of business insurance, however, but about the risks individual dealers, galleries and auction houses face from hackers seeking sensitive client data, including names, addresses, occupations, credit card numbers, bank accounts and even passport numbers—everything clients provide in order to buy and sell at the highest levels of the commercial art world
“We get attacked very regularly—weekly if not daily,” Sam Spiegel, technology principal at Heritage Auctions, told Observer. The company’s security systems generally blunt those attacks, though the occasional hacker breaks through. In 2019, a ransomware attack took down its website for several days, but Heritage had backups in place and didn’t lose any data. More importantly, it did not have to pay a ransom. There have also been denial-of-service attacks, in which a hacker floods a targeted machine or resource with superfluous requests to overload systems and prevent legitimate traffic from being processed. “We’ve had a couple of those, the last one in 2021, but it only lasted a few minutes. We were able to get things back up and running.” Credit goes to the auction house’s layered back-up systems, fail-safes and redundancies, along with its use of multiple third-party payment platforms where all client financial data is processed.
Spiegel did not come out of the tech world. He graduated from the University of Chicago with a degree in classics and history and joined Heritage in 2013 as part of the auction house’s World & Ancient Coins department. His first foray into the online realm was creating an index of modern and ancient coins that provided clients with pricing and historical context. Technology is something he learned along the way. It is, he admitted, a thankless job, since most clients don’t think about data security until something goes wrong. “We could put out a press release saying ‘Nothing bad happened this week,’ but our clients don’t even want to know that something bad was a possibility.”
What is possible is never far from mind for those tasked with protecting against known and unknown threats. Joshua Eldred, president of Eldred’s auction house, experienced ransomware incidents twice in what he now calls “the old days,” before the company began using a third-party payment platform—Authorize.net—to handle transactions. “We outsource everything,” he told Observer. “We have no sensitive information on our system.” The storage and protection of sensitive client information is left to firms whose core business is defending against cyberattacks, allowing the auction house to focus on selling. Numerous comparable service companies work with galleries and auction houses, with new ones emerging regularly, including Bidpath, Stripe, Square, Chase PaymentTech, Dwolla, AliPay, AuctionPay, Plaid and PaymentCloud. Still, Authorize.net does not relieve Eldred’s of the need for vigilance. Employees are trained to recognize phishing attempts, and staff conduct is periodically reviewed. “We tell staff, ‘don’t click on anything unless you know where it came from.’”
Cybersecurity is not a subject auction houses are eager to discuss publicly. “If I say that we’ve never been hacked, that likely would lead to hackers targeting us, so no thank you,” the CEO of one auction house said on condition of anonymity. Few buyers or consignors ever ask about safety protocols. A spokesperson for Sotheby’s stated that the auction house “takes proactive steps to safeguard our systems and data by regularly updating our security protocols and enhancing our monitoring capabilities to better protect our clients and their valuable information.” A spokesperson for Phillips said that the auction house “remains continuously focused on strengthening our defenses as digital engagement with our auctions continues to grow.”
A worst-case scenario unfolded at Christie’s in May 2024, when the auction house experienced a ransomware attack that lasted 10 days, resulting in a payment of an undisclosed sum to hackers and a $990,000 settlement of a threatened class-action lawsuit to compensate approximately 45,798 people whose data was compromised.
Every sector of the arts economy is vulnerable to hackers, of course. Security breaches have occurred at museums across the U.S., including the Smithsonian Institution in Washington, D.C., Parrish Art Museum in Southampton, New York, Museum of Fine Arts Boston, Frances Lehman Loeb Art Center at Vassar College in Arlington, New York and Crystal Bridges Museum of American Art in Bentonville, Arkansas, as well as at numerous for-profit companies. In 2020, the online art marketplace LiveAuctioneers suffered a data breach affecting 3.4 million buyers and sellers, exposing names, email and mailing addresses, phone numbers and encrypted passwords.
Galleries are particularly vulnerable because “they don’t have a dedicated IT person whose job it is to monitor the online systems,” said James Carroll, founder of Hacket Cyber, a Syracuse, New York-based firm hired by large and small businesses, including galleries and museums, to test the security of their databases and other software. “The people working in galleries want to talk about art and artists, not about the security of clients’ information.”
Galleries also tend to outsource client data storage and rely on security software that may or may not be kept up to date. Cristin Tierney, a gallery owner in New York City, told Observer that “we do not keep client financial and banking information in our database,” adding that “all staff are asked to periodically change their passwords.” She said the gallery has never experienced a breach; perhaps those measures have been sufficient.
The Manhattan-based Art Dealers Association of America serves as an information hub for its members, circulating alerts on active scams, fraud patterns and emerging cybersecurity risks so galleries can take appropriate precautions. Kinsey Robb, executive director of the association, stated that “as the art trade becomes increasingly digital, cybersecurity has shifted from a back-office concern to a core operational issue. Our focus at the ADAA is on education and timely information-sharing, helping galleries stay alert to evolving risks and contributing to broader conversations around internal protocols, staff training and cyber insurance as part of sound risk management. The challenge is no longer whether the art trade will face cyber risk, but how proactively the field adapts as those risks continue to evolve.”
To qualify for cybersecurity insurance, one fine art insurer said, galleries must have certain “protocols in place,” including “firewalls and dual-identification systems,” along with procedures for verifying vendor information before making payments. Some galleries take the process seriously, while others assume the third-party companies they use will keep them safe.
As the cyber threat landscape continues to evolve, Imani Barnes, an associate director at Cyber Risk at Risk Strategies, told Observer that insurers “remain concerned about several controls that could impact a client’s ability to obtain cyber insurance terms.” They include:
- Multi-Factor Authentication (MFA): Employees, contractors, vendors and administrators should verify their identity with more than just a password (such as a code sent to a phone) when accessing cloud applications or company systems.
- Endpoint Protection: Galleries and auction houses need to install advanced security software on every device connected to the network to detect unusual activity and stop potential cyber threats before they spread.
- Cyber Incident Preparedness: This means maintaining daily encrypted backups stored offline and regularly tested, along with a clear, tested plan for how the business will continue operating during events such as ransomware attacks or major system outages.
- Employee Training: All employees should train annually on basic cybersecurity awareness and run phishing simulations, since phishing emails remain the most common way hackers gain access to systems.
- Data Management: Galleries and auction houses should understand what sensitive data their organizations collect and store and how much of it exists to ensure it is properly protected through measures such as encryption and secure storage.
“A well-informed bidder is a confident bidder,” Spiegel said, defining well-informed as someone who understands the quality and value of the objects they are considering. That confidence can erode if buyers worry that the personal data they provide when registering for a sale is not secure. “Heritage is a very technology-forward company, and we have the largest IT department of any auction house,” with many of those employees monitoring phishing emails and, more recently, A.I.-driven scams in which bots impersonate clients. “A.I. is definitely the next wave of cyber attacks,” which will no doubt keep him and his counterparts at auction houses and galleries busy well into the future.
No comments:
Post a Comment