Hackers Will Never Stop Targeting the Art Market, But Buyers Are Safer Than They Think |
Business Finance Media Technology Policy Wealth Insights Interviews
Art Art Fairs Art Market Art Reviews Auctions Galleries Museums Interviews
Lifestyle Nightlife & Dining Style Travel Interviews
Power Index Nightlife & Dining Art A.I. PR
About About Observer Advertise With Us Reprints
Hackers Will Never Stop Targeting the Art Market, But Buyers Are Safer Than They Think
Auction houses (and some galleries) are investing heavily in layered back-up systems, redundancies and third-party payment platforms to reduce exposure to cyber threats.
It was an absolute mess. “The art dealer’s sales team was locked out of its inventory information, freezing their sales transactions,” Steve Pincus Sr., managing director of insurance brokerage firm Risk Strategies, told Observer. A cybercriminal was holding the gallery’s data hostage by hacking into its systems and encrypting the files, agreeing to decrypt them only after payment—in other words, the gallery was dealing with a ransomware attack. “Once the ransom was paid and system access was restored, it still took several months to be sure that the existing data was not manipulated in any way.”
Sign Up For Our Daily Newsletter
Thank you for signing up!
By clicking submit, you agree to our terms of service and acknowledge we may use your information to send you emails, product samples, and promotions on this website and other properties. You can opt out anytime.
Until the data was verified, it was effectively useless. In the meantime, the sales team could not access inventory. “They didn’t know what works were for sale, for how much, or any other data related to any individual work of art,” Pincus added. Sales were lost, and the gallery filed what is known as a Business Interruption claim.
Fortunately, the gallery had taken out a cyber policy that covered business interruptions, and the insurer paid out a claim exceeding seven figures. This is not simply a story about the value of business insurance, however, but about the risks individual dealers, galleries and auction houses face from hackers seeking sensitive client data, including names, addresses, occupations, credit card numbers, bank accounts and even passport numbers—everything clients provide in order to buy and sell at the highest levels of the commercial art world
“We get attacked very regularly—weekly if not daily,” Sam Spiegel, technology principal at Heritage Auctions, told Observer. The company’s security systems generally blunt those attacks, though the occasional hacker breaks through. In 2019, a ransomware attack took down its website for several days, but Heritage had backups in place and didn’t lose any data. More importantly, it did not have to pay a ransom. There have also been denial-of-service attacks, in which a hacker floods a targeted machine or resource with superfluous requests to overload systems and prevent legitimate traffic from being processed. “We’ve had a couple of those, the last one in 2021, but it only lasted a few minutes. We were able to get things back up and running.” Credit goes to the auction house’s layered back-up systems, fail-safes and redundancies, along with its use of multiple third-party payment platforms where all client financial data is processed.
Spiegel did not come out of the tech world. He graduated from the University of Chicago with a degree in classics and history and joined Heritage in 2013 as part of the auction house’s World & Ancient Coins department. His first foray into the online realm was creating an index of modern and ancient coins that provided clients with pricing and historical context. Technology is something he learned along the way. It is, he admitted, a thankless job, since most clients don’t think about data security until something goes wrong. “We could put out a press release saying ‘Nothing bad happened this week,’ but our clients don’t even want to know that something bad was a possibility.”
What is possible is never far from mind for those tasked with protecting against known and unknown threats. Joshua Eldred, president of Eldred’s auction house, experienced ransomware incidents twice in what he now calls “the old days,” before the company began using a third-party payment platform—Authorize.net—to handle transactions. “We outsource everything,” he told Observer. “We have no sensitive information on our system.” The storage and protection of sensitive client information is left to firms whose core business is defending against cyberattacks, allowing the auction house to focus on selling. Numerous comparable service companies work with galleries and auction houses, with new ones emerging regularly, including Bidpath, Stripe, Square, Chase PaymentTech, Dwolla, AliPay, AuctionPay, Plaid and PaymentCloud. Still, Authorize.net does not relieve Eldred’s of the need for vigilance. Employees are trained to recognize phishing attempts, and staff conduct is periodically reviewed. “We tell staff, ‘don’t click on anything unless you know where it came from.’”
Cybersecurity is not a subject auction houses are eager to discuss publicly. “If I say that we’ve never been hacked, that likely would lead to hackers targeting us, so no thank you,” the CEO of one auction house said on condition of anonymity. Few buyers or consignors ever ask about safety protocols. A spokesperson for Sotheby’s stated that the auction house “takes proactive steps to safeguard our systems and data by regularly updating our security protocols and enhancing our monitoring capabilities to better protect our clients and their valuable information.” A spokesperson for Phillips said that the auction house “remains continuously focused on strengthening our defenses as digital engagement with our auctions continues to grow.”
A worst-case scenario unfolded at Christie’s in May 2024, when the auction house experienced a ransomware attack that lasted 10 days, resulting in a payment of an undisclosed sum to hackers and a $990,000 settlement of a threatened class-action lawsuit to compensate approximately 45,798 people whose data was compromised.
Every sector of the arts economy is vulnerable to hackers, of course. Security breaches have occurred at museums across the U.S., including the Smithsonian Institution in Washington, D.C., Parrish Art Museum in Southampton, New York, Museum of Fine Arts Boston, Frances Lehman Loeb Art Center at Vassar College in Arlington, New York and Crystal Bridges Museum of American Art in Bentonville, Arkansas, as well as at numerous for-profit companies. In 2020, the online art marketplace LiveAuctioneers suffered a data breach affecting 3.4 million buyers and sellers, exposing names, email and mailing addresses, phone numbers and encrypted passwords.
Galleries are particularly vulnerable because “they don’t have a dedicated IT person whose job it is to monitor the online systems,” said James Carroll, founder of Hacket Cyber, a Syracuse, New York-based firm hired by large and small businesses, including galleries and museums, to test the security of their databases and other software. “The people working in galleries want to talk about art and artists, not about the security of clients’ information.”
Galleries also tend to outsource client data storage and rely on security software that may or may not be kept up to date. Cristin Tierney, a gallery owner in New York City, told Observer that “we do not keep client financial and banking information in our database,” adding that “all staff are asked to periodically change their passwords.” She said the gallery has never experienced a breach; perhaps those measures have been sufficient.
The Manhattan-based Art Dealers Association of America serves as an information hub for its members, circulating alerts on active scams, fraud patterns and emerging cybersecurity risks so galleries can take appropriate precautions. Kinsey Robb, executive director of the association, stated that “as the art trade becomes increasingly digital, cybersecurity has shifted from a back-office concern to a core operational issue. Our focus at the ADAA is on education and timely information-sharing, helping galleries stay alert to evolving risks and contributing to broader conversations around internal protocols, staff training and cyber insurance as part of sound risk management. The challenge is no longer whether the art trade will face cyber risk, but how proactively the field adapts as those risks continue to evolve.”
To qualify for cybersecurity insurance, one fine art insurer said, galleries must have certain “protocols in place,” including “firewalls and dual-identification systems,” along with procedures for verifying vendor information before making payments. Some galleries take the process seriously, while others assume the third-party companies they use will keep them safe.
“A well-informed bidder is a confident bidder,” Spiegel said, defining well-informed as someone who understands the quality and value of the objects they are considering. That confidence can erode if buyers worry that the personal data they provide when registering for a sale is not secure. “Heritage is a very technology-forward company, and we have the largest IT department of any auction house,” with many of those employees monitoring phishing emails and, more recently, A.I.-driven scams in which bots impersonate clients. “A.I. is definitely the next wave of cyber attacks,” which will no doubt keep him and his counterparts at auction houses and galleries busy well into the future.
More for art collectors
Why a Signature Can Make or Break an Artwork’s Price
Why a Signature Can Make or Break an Artwork’s Price
The Benefits and Drawbacks of Fractionalized Art Ownership
The Benefits and Drawbacks of Fractionalized Art Ownership
What Collectors Need to Know When Buying Art and Antiquities Abroad
What Collectors Need to Know When Buying Art and Antiquities Abroad
Why Most Art Galleries Don’t Offer Discounts
Why Most Art Galleries Don’t Offer Discounts
Want to Donate Your Collection to a Museum? Read This First
Want to Donate Your Collection to a Museum? Read This First
SEE ALSO: Art Genève Courts Galleries With a Different Market Logic
We noticed you're using an ad blocker.
We get it: you like to have control of your own internet experience. But advertising revenue helps support our journalism. To read our full stories, please turn off your ad blocker.We'd really appreciate it.
How Do I Whitelist Observer?
Below are steps you can take in order to whitelist Observer.com on your browser:
Click the AdBlock button on your browser and select Don't run on pages on this domain.
For Adblock Plus on Google Chrome:
Click the AdBlock Plus button on your browser and select Enabled on this site.
For Adblock Plus on Firefox:
Click the AdBlock Plus button on your browser and select Disable on Observer.com.