Auction house Sotheby’s says it was breached on July 24, and those behind the intrusion stole an unspecified amount of data, including Social Security numbers and financial account information.

The multinational broker of fine art and luxury items said it is not aware of who was behind the attack, but confirmed in a filing with the state’s Attorney General’s Office this week that two Maine residents were affected by the breach.

The Register asked the auctioneer for more information about the total number of people affected, whether these were staff and/or clients – many of whom are high and ultra high net worth individuals – and whether an extortion demand was made.

In a letter to those affected on Wednesday, Sotheby’s said the attackers broke in despite the company regularly patching systems and testing its incident response plans.

The letter reads: “We have administrative and technical safeguards in place that protect information through layered defenses, strict access controls, secure connections, and advanced threat protections.

“We regularly patch systems, test our internal incident response plans, back up critical services, vet our vendors, and train our workforce to ensure security is built into how we work every day.

“As part of our ongoing commitment to the privacy of information we will continue to review these safeguards and consider further enhancements to ensure the ongoing safety of information on our systems.”

The London-founded, New York-headquartered company is offering affected individuals 12 months’ worth of credit and identity monitoring services through TransUnion, as is customary following US cyberattacks that involve data theft.

The Register has scanned every state’s data breach reporting portal for similar filings but at present Sotheby’s has so far only reported the breach to Maine’s AG.

Sotheby’s is the second auctioning giant to be targeted by cybercriminals in as many years. Christie’s was raided by RansomHub in May 2024, but avoided a leak of its data after the group claimed they found a buyer via a private auction.

While it would have been a fitting end to the incident, experts suspected the group, which took over the ransomware mantle after LockBit’s demise, was unlikely to sell the data.

“Auctioning rather than leaking data is not new, but relatively rare, with little evidence that this results in a payout for the criminals,” Don Smith, director of threat intelligence at Secureworks, told The Reg in the summer last year.

“Considering ransomware as a business, up front you expend effort, in the expectation of a later payout. If Christie’s have made it clear they are not going to pay, releasing data draws a line on the incident with no benefit to the bad guys. Auctioning is a last-ditch attempt to achieve a payout. Auctions are more likely to be successful where the victim has a meaningful brand or there’s some expectation the data has real value.

“It is easy to think of ransomware gangs in the abstract, the reality is these are people, with human emotions and frailties. Auctioning Christie’s data may be little more than an amusing irony to the RansomHub operators.”

There is also the possibility that the amount or quality of data RansomHub stole was not impressive enough to leak, and feigning an auction was more of a face-saving exercise. ®