Christie’s, a major auction house that’s used by some of the world’s wealthiest traders, faced a large data breach that resulted in sensitive information about major collectors’ artwork being leaked.
Essentially, when you submit artwork to Christie’s via one of their websites, the picture you submit carries a hidden vulnerability that can be taken advantage of by anyone on the internet. That photo may contain your exact GPS coordinates. In fact, 10% of the pictures found on Christie’s had the user’s GPS coordinates able to be found through that picture.
It’s not just nearby locations either, the data is so specific that it can be pinpointed within a few feet of the building where the artwork is kept at. This means exceptionally valuable pieces of art are at a higher risk of a criminal stealing them.
Hundreds of users who submitted their artwork to the website have been impacted.
“[These vulnerabilities] have resulted in the compromise of personal, financial, and health information of millions of users and consumers,” said CISA.
“Unfortunately, it only took us a few minutes to come across this serious vulnerability,” explains Martin Tschirsich, a researcher with Zentrust Partners. “The vulnerability is so simple that it can be exploited by anyone with a browser within a few minutes.”
The issue was reported to Christie’s back in July, but it’s only been patched this last week — another researcher with Zentrust Partners remarked that the fix could have been applied in a matter of days, even hours.
“As cybersecurity researchers we were very surprised by this reaction,” they tell the Washington Post.
Christie’s auction house responded to the incident.
“Christie’s respects its client’s concerns about privacy and treats the protection of client information as a top priority. We maintain a comprehensive information security program comprised of safeguards designed to protect against unauthorized access to and disclosure of client information,” Christie’s said..