The notorious ransomware gang RansomHub has claimed responsibility for a recent cyberattack on Christie's auction house, disrupting its website just days before its marquee spring sales and leaking data to back up its claims. The group posted a message on its dark web leak site claiming to have gained access to compromised information about the world's wealthiest art collectors. Christie's officials downplayed the seriousness of the breach, however, and said that no financial or transactional data was compromised in the attack.

RansomHub Claims Cyberattack on Christie's Auction House

The attack, which occurred two weeks ago, had brought down Christie's official website, forcing the auction firm to switch to methods such as an alternative domain to reach potential buyers and sellers ahead of its highly anticipated spring sales after the company announced it would proceed with the sales despite setbacks. The sales were scheduled to occur at multiple locations such as New York and Geneva, and estimated to fetch 850 million dollars from buyers. The RansomHub ransomware gang has now claimed responsibility for the attack on its leak site, stating that it had compromised about 2GB of data from the the auction giant during the initial network compromise. The details were said to include BirthPlace, MRZFull, DocumentNumber, BirthDate, ExpiryDate, FirstName, LastName, IssueDate, IssuingAuthority, DocumentCategory, DocumentType and NationalityName. [caption id="attachment_71548" align="alignnone" width="751"] Source: X.com (@AlvieriD)[/caption] The threat actor group said they had attempted to come to a "reasonable solution," but that Christie's had ceased communications midway and failed to pay the demanded ransom. The threat group shared an alleged sample of the stolen data. [caption id="attachment_71550" align="alignnone" width="725"] Source: X.com (@AlvieriD)[/caption] The hackers warned that Christie's would face heavy fines under the EU's General Data Protection Regulation (GDPR) and face reputation damage among its clients. The General Data Protection Regulation (GDPR) mandates that EU companies disclose security incidents that compromise client data, with non-compliance potentially leading to fines up to $22 million. Cybersecurity experts describe RansomHub as a powerful ransomware group with possible ties to ALPHV, a network of Russian-speaking extortionists.

Christie's Auction House Downplays Data Leak

Christie’s acknowledged the cyberattack on Christie's Auction House and unauthorized access, with spokesman Edward Lewine stating that the auction house is investigating the incident. The preliminary findings indicate that the hackers obtained a limited amount of personal client data but stopped short of compromising financial or transactional records. Christie CEO Guillaume Cerutti also stated in a recent interview with CNBC that there was no evidence that any transaction or financial data has been impacted or leaked in the incident. The company appeared to downplay the impact of the incident earlier, describing it as a "technology security incident." However, employees privately reported a sense of panic, with limited information shared about the breach by top leaders. Several prominent buyers and sellers also indicated to the New York Times that they were in the dark about the impact, and were not alerted to the hack until a reporter had reached out to them. Lewine stated that the auction house was now in the process of notifying privacy regulators and government agencies, and would also be notifying affected clients shortly. Despite the attack, the spring sales concluded with $528 million in revenue, suggesting the incident did not significantly deter bidding activities. Following the sales, Christie's regained control of its website. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

UnitedHealth Group has given an update on the February cyberattack on Change Healthcare, one of its subsidiaries. In the update, the company revealed the scale of the breach, saying:

“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”

UnitedHealth also announced support for affected people.

On Wednesday February 21, 2024, Change Healthcare experienced serious system outages due to the cyberattack. The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States.

The attack on Change Healthcare, which processes about 50% of US medical claims, was one of the worst ransomware attacks against American healthcare and caused widespread disruption in payments to doctors and health facilities.

Despite the ongoing investigation, which expectedly will take several more months of detailed analysis, UnitedHealth said it had decided to immediately provide support. The company says it continues to monitor the regular web and the dark web for any published data.

The chief executive of UnitedHealth Group, Andrew Witty, is expected to testify in Congress in May about the matter. Meanwhile the company says it has made strong progress restoring services impacted by the event and is prioritizing the restoration of services that impact patient access to care or medication.

Affected people can visit a dedicated website at changecybersupport.com to get more information, or call 1-866-262-5342 to set up free credit monitoring and identity theft protection.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection