Description
On May 10th, the renowned British auction house, Christie’s, announced that its primary website was down due to a cyberattack. In response, the company swiftly created a temporary website explaining the situation and urging site visitors to either register their interest or bid in upcoming sales using the provided contact information, which included phone numbers for its various locations. This contingency measure aimed to mitigate the impact of the outage. The attack occurred during Christie’s marquee annual art auction week in May, which featured high-value items worth an estimated $840 million, including a Vincent Van Gogh painting valued at $35 million.
While the cyberattack forced Christie’s to postpone a rare watch auction in Geneva by 24 hours, other major art auctions proceeded as planned. However, the website disruption did impact sales, as four artworks, including a Brice Marden painting estimated at $50 million, were withdrawn from Christie’s auctions. These withdrawals were likely due to the attack, as the website outage could have reduced the number of potential buyers and affected the achievable sales prices.
Identify Indicators of Compromise (IoC)
While Christie’s has not provided detailed information on the incident, their CIO, Guillaume Cerutti, shared news of the attack on LinkedIn several days later. He described the incident as a “technology security incident” and assured readers that the company has established protocols in place to manage such situations. Security specialists are speculating on a couple of theories regarding the nature of the attack. The first theory is that Christie’s experienced a ransomware attack aimed at disrupting operations and extorting the company. The other premise is that it was an auction-related attack intended to manipulate prices by reducing both the number of potential bidders and the visibility of certain lots.
Actions Taken
The auction company proactively took down some of its systems, including the primary website, to facilitate the IT team’s efforts. The company maintained continual communication with its clients to keep them informed of the situation.
Prevention
The cyberattack caused significant disruption to Christie’s website and operations during one of its busiest auction periods, forcing contingency measures and potentially impacting sales despite the auctions proceeding. The incident highlights the vulnerability of high-profile institutions to cyber threats.
For a major event such as Christie’s annual art auction week, thorough preparation is crucial to ensure business continuity is preserved. A well-defined incident response plan (IRP) outlines specific procedures to follow in the event of a cyberattack or another disruptive incident. This includes steps for containment, investigation, and threat eradication, as well as communication protocols for notifying internal teams, customers, and stakeholders.
The temporary website that Christie’s utilized was a rudimentary form of a disaster recovery plan (DRP), whether pre-planned or not. A comprehensive DRP includes secure and isolated data backup systems, along with tested procedures for recovering critical data and systems from those backups. This capability is vital in situations like this, where a website must be restored quickly to resume normal operations. It is also important to take lessons learned from any cyberattack and incorporate them into your DRP and IRP to enhance your preparedness and resilience against future threats.