(Bloomberg) -- A hacking group that targeted Christie’s stole information — including names, dates of birth and passport numbers — that customers provided to the auction house to verify their identities, according to a memo sent to customers.

The attackers also accessed some customers’ genders and birthplaces from passport information that Christie’s had used for ID checks, according to the memo, which was reviewed by Bloomberg News. Data obtained from driver’s licenses and other forms of ID included full names and dates of birth, according to the memo, which is dated May 30.

The hackers didn’t access copies of the identification documents, the memo said.

The attackers also didn’t obtain ID photographs, signatures, email addresses or phone numbers, according to the memo. Nor did they compromise financial data such as bank accounts and credit card numbers or information related to Christie’s transactions, according to the memo.

A Christie’s spokesperson confirmed the memo’s veracity. The auction house has begun notifying affected clients and has set up dedicated telephone hot lines and email, the spokesperson said.

Read More: Hacking Group Claims to Have Stolen Data From Christie’s

In a post on the dark web, the cybercriminal group RansomHub claimed responsibility for the attack. The gang claimed it gained access to personal information about Christie’s wealthy clients, publishing a “sample” of the data with a few names, nationalities and birth date. RansomHub included a countdown clock in the post, suggesting they would publish the entire trove of data in early June unless Christie’s paid an extortion fee.

The group’s claims, and the sample data it posted, couldn’t be verified. 

That RansomHub still has a countdown clock ticking toward when the group says it will publish client data indicates the auction house didn’t pay a ransom, according to Brett Callow, a threat researcher at the cybersecurity firm Emsisoft. He said the type of data taken in this instance gives the hackers little leverage.

“That is the information that would have been found in the phone book in previous years,” Callow said. “More than anything this incident is embarrassing to Christie’s”

But Callow also warned that many breached companies have been wrong in their initial assessments of what types of data was taken, and that getting conclusive answers can be a “long complex process” that takes months.

The auction house was forced to take down its website on May 9 following the attack, which occurred on the eve of watch auctions in Geneva and days before Christie’s began important auctions in New York. 

Christie’s managed to sell $115 million in art in a single evening earlier this month, in spite of the attack. In total, its May marquee week sales yielded $640 million.


--With assistance from Jake Bleiberg.

(Updates with comments from Brett Callow starting in eighth paragraph. A previous version of this story corrected a mispelling in headline.)

©2024 Bloomberg L.P.