“We apologise that our full website is currently offline. We are looking to resolve this as soon as possible and regret any inconvenience.” This is what Christie’s customers currently read on the esteemed auction house’s internet presence.
The causes of the website outage are still unclear. The New York Times, first to report, quotes unnamed employees who believe it to be a cyber-attack. This means that clients’ personal data, including credit card or bank account information as well as ownership history for artworks, could be at risk. Speculation is running wild on the art world's social media accounts. Confirmed facts, however, are sparse.
While the spring evening sales for modern, contemporary and impressionist art scheduled for the upcoming week will go on, in person and by phone, the situation could not be more inopportune for the company. It remains to be seen what ramifications the incident will have on the auction results as well as IT security in the wider art world. Discretion has been one of the marks of the art market for decades; a breach of data security will likely not be taken kindly, even by a client base traditionally likely to bid in person or by telephone.
Christie’s has an excellent reputation for professionalism and, according to a statement e-mailed to its clients, protocols in place for incidents such as these. “We are taking all necessary steps to manage this matter, with the engagement of a team of additional technology experts,” a Christie's spokesman said in a statement to The New York Times. “We will provide further updates to our clients as appropriate.”
If it were really true that client’s information got leaked, it would require immediate action by both the auction house and its clients. Data protection laws, including the General Data Protection Regulation (GDPR) in the European Union, offer rights and remedies to those affected. Additionally, according to Article 33 of the GDPR, companies with a data breach such as the one allegedly happening at Christie's, need to inform the data protection authorities of the breach. These are able to impose fines and take other appropriate measures according to Article 58 of the GDPR.
Other art market participants not affected should use this opportunity to shore up their cyber security measures.