Sotheby’s discovered the cyberattacks on July 24; after a two-month investigation, the company reports a breach of personal and financial data — initially targeting clients, but later clarifying that employees were also affected. The investigation is ongoing, and the company has engaged cybersecurity experts and is notifying victims as required.
The breach was discovered on July 24; Sotheby’s conducted a two-month review to determine the extent and type of data stolen. Early public filings indicated that full names, Social Security numbers (SSNs) and financial information were potentially exposed. The company filed a report with the Maine Attorney General’s Office and initially offered those who were notified free 12-month identity theft protection and credit monitoring through TransUnion (with a 90-day window to sign up). However, on October 17, Sotheby’s clarified that the incident affected employees, not customers, and that the investigation and notification work is ongoing in cooperation with law enforcement and external response specialists.
Sotheby’s is a global company with billions of dollars in turnover (approximately $6 billion in sales last year). The auction house industry is an attractive target for cybercriminals due to the large volumes of valuable transactions and personal customer data; last year, the RansomHub group reported a hack of Christie’s, and Sotheby’s has previously faced incidents (web screamers to steal payment data and a supply-chain attack in 2021). In the past, such attacks have often been accompanied by the publication of stolen files on the darknet or ransom demands.
Sotheby’s continues to investigate and notify victims in accordance with regulatory requirements; Those who may have been affected are advised to monitor communications from the company, sign up for credit monitoring services, check accounts, and immediately report any suspicious transactions or requests to restore access. Organizations in related industries should strengthen security in their supply chains and payment processing systems — and users are advised to enable multi-factor authentication and regularly check for information about potential breaches.
