Cyberattacks – the Demogorgon of art?

On May 14, 2024, Christie’s, a renowned auction house, experienced a major cyberattack that caused disruptions on its website and online bidding platform. This incident occurred at a critical juncture, coinciding with the planned auction of art valued at $578 million during New York's prestigious spring sales. The cyberattack has sparked worries regarding the security and reliability of the auction procedures, impacting the confidence of both buyers and sellers engaged in these auctions.

The cyberattack on Christie’s highlights a concerning trend: Cybercriminals are shifting their focus towards niche industries, moving away from traditional targets like finance and healthcare. The art market has become a new hotspot for cyberattacks as criminals exploit vulnerabilities in less-protected sectors. Recently, a cyber attack on Gallery Systems, a software company, impacted numerous art institutions, including the Museum of Fine Arts Boston, the Rubin Museum of Art in New York, and the Crystal Bridges Museum of American Art in Arkansas. These institutions relied on the software for managing their online archives and collections.

Beyond museums, other cultural institutions have also faced cyber threats. The Metropolitan Opera and the Philadelphia Orchestra encountered online attacks a couple of years ago, while a ransomware group targeted the British Library, exposing personal data by sharing human resource files online. The evolving landscape of cybercrime highlights the need for heightened cybersecurity measures across all sectors, especially within industries previously considered less vulnerable to such attacks. Stay vigilant and prioritize robust cybersecurity strategies to safeguard sensitive data and operations.

“The objects in museums are valuable, but the information about them is truly priceless,” Erin Thompson, a professor of art crime at John Jay College of Criminal Justice in New York, told The Times. “Often, generations of curators will have worked to research and document an artifact. If this information is lost, the blow to our knowledge of the world would be immense.”

Christie’s situation underscores that no industry is immune to cyber threats. The art market, with its wealthy clientele and valuable assets, presents an attractive target for cybercriminals. The attack on Christie’s could deter potential bidders, who fear that their personal and financial information might be compromised. This, in turn, could further depress the already struggling art market, which saw a 20% decline in sales last year.

The practical risks auction houses face involve the potential compromise of sensitive client information. When engaging in auction transactions, individuals often find themselves divulging extensive personal details beyond basic contact information. This includes job titles, financial data, and even sensitive identification documents like passport scans. Such stringent verification measures are in place to ensure compliance with anti-money laundering laws and to establish the legitimacy of the parties involved. However, this wealth of personal information also presents a tempting target for cybercriminals seeking lucrative opportunities.

Apart from the immediate risks of data breaches and identity theft, there exists a more intangible yet equally concerning threat to the reputation of auction houses. These esteemed institutions, with decades or even centuries of heritage in the art and collectibles domain, have meticulously cultivated their standing. Nevertheless, a single significant breach or cyber intrusion could swiftly erode this hard-earned trust. Clients, wary of potential vulnerabilities, may swiftly divert their transactions elsewhere, jeopardizing the firm's credibility and market position.

Additionally, emerging markets like blockchain-based digital art platforms and NFTs (non-fungible tokens) introduce a wealth of new cyber security challenges for creatives. The perceived value of art can instigate widespread theft and compromise of both the art itself and the creator’s online presence. Hackers may target those working in NFTs as they know that artists may not be overly familiar with the threat landscape or best practices. They can therefore often gain control of a victim’s assets through carefully crafted phishing campaigns via email or social media.

If you’re a working artist or a gallery owner, chances are you spend a good amount of your time online. From email correspondence to growing your social media following, being an artist or gallerist in today’s hyperlinked world requires a high level of technological literacy.  In today’s competitive marketplace, where instant action and innovation are valued highly, technology and digital solutions prove invaluable and irreplaceable. As such, creatives must be cognizant of the security risks that come with using them ad infinitum, and not be blinded by delusions of grandeur. For all the benefits that automation and generative AI offer creatives and their workflows, it’s important to look beneath the surface and understand the risks they could face if not careful. As more creative professionals leverage digital tools, cloud-based editing software, online portfolio databases, remote file storage, and other online platforms to create, collaborate, and showcase their work, their attack surface grows.

As a result, Art galleries, like any organization, need strong cybersecurity to protect their digital assets, including client data, artwork information, and online presence from cyber threats. This involves implementing measures like strong passwords, two-factor authentication, regular security updates, and staff training.

Some of the key measures mandatory for art galleries are:

1. Protecting Digital Assets:

Data Security:

Client Information: Protect sensitive data like client contact details, purchase history, and payment information.

Artwork Data: Secure information about artwork, including artist details, provenance, and valuations.

Digital Art: Implement measures to prevent unauthorized access, copying, or distribution of digital artworks.

Website Security:

Secure Website: Ensure your website is protected with SSL/TLS certificates, regular security audits, and up-to-date software.

Social Media Security: Change social media passwords regularly, enable two-factor authentication, and be cautious about sharing sensitive information online.

2. Implementing Security Measures:

Strong Passwords: Use strong, unique passwords for all accounts and change them regularly.

Two-Factor Authentication: Enable two-factor authentication for critical accounts to add an extra layer of security.

Regular Security Updates: Keep all software, operating systems, and security tools up to date to patch vulnerabilities.

Firewall and Antivirus Software: Install and maintain firewalls and antivirus software on all devices.

Staff Training: Educate staff about cybersecurity threats, phishing scams, and safe online practices.

Backup Systems: Regularly back up important data to prevent data loss in case of a cyberattack.

Digital Watermarking: Consider using digital watermarks on artwork to deter theft and unauthorized distribution.

3. Understanding the Risks:

Cyberattacks: Be aware of common cyber threats like phishing, malware, ransomware, and social media hacks.

Data Breaches: Understand the potential consequences of data breaches, including financial loss, reputational damage, and legal issues.

Theft and Unauthorized Access: Protect against unauthorized access to your systems and data, which could lead to theft or damage to artwork.

4. Additional Security Considerations:

Physical Security: Implement physical security measures to protect artwork and equipment, such as surveillance cameras, access control systems, and security personnel.

Risk Assessment: Conduct regular risk assessments to identify vulnerabilities and implement appropriate security measures.

Incident Response Plan: Develop an incident response plan to address cyberattacks and data breaches effectively.

Compliance: Ensure compliance with relevant data protection regulations, such as GDPR.

In the realm of auction houses, cybersecurity is a paramount concern. Drouot, a prominent auction house in France, places its trust in PCI DSS (Payment Card Industry Data Security Standard) from Wakefield, Massachusetts. It's a common practice for auction houses to engage third-party operators like Bidsquare, Proxibid, LiveAuctioneers, Invaluable, or ChasePaymentech for tasks such as registering potential buyers and facilitating remote bidding. These operators meticulously segment client data within their networks, enhancing security measures in case of a breach, thus safeguarding individual client information. Moreover, their utilization of private cloud computing systems adds an extra layer of protection, reducing vulnerability compared to public cloud platforms.

As technology continues to revolutionize the art landscape, the intersection of cybersecurity, cloud security, AI, and the arts becomes increasingly crucial. This convergence signifies not only a merging of domains but a pivotal juncture demanding attention. The art sector must prioritize investments in cybersecurity, recognizing the persistent presence of AI and cyber threats. Waiting for disruptions like halted immersive experiences, auction house closures, or compromised creative legacies is not a viable strategy. It's essential for the art industry to proactively forge a harmonious alliance between the arts and cloud security to thwart potential cyber threats and preserve artistic freedom.

Next Week: Sustainability concerns in the art world

Dipayan has been a digital transformation consultant and advisor for over two decades to large multinational firms, with a keen interest in data and AI and a patent in cognitive AI and blockchain. He has worked with clients across Asia Pacific, EMEA and Americas. He is also a practising internationally acclaimed abstract artist for over a decade. His works are shown across various galleries and museums in New York, London, Paris, Amsterdam, Dubai and India, awarded in Florence and Venice, and have been included in numerous private art collections in New York, London, Kolkata and Mumbai. He lives and works out of Mumbai in India