submitted.news

Christie’s slapped with 280 million won penalty, 7.2 million won fine for data breach

Written by

Submitted

in

Published on April 10, 2026

Christie’s auction house was issued penalties on Thursday for a data breach that exposed the personal information of hundreds of local clients.

The Personal Information Protection Commission imposed a 280 million won ($210,000) penalty on Christie’s, along with an additional 7.2 million won fine. The commission also ordered the company to publicly disclose the sanctions for failing to comply with Korean data protection laws.

The breach dates back to May 2024, when Christie’s website went offline just before its marquee New York auctions—one of the busiest periods for the global art market. Initially suspected to be the result of a cyberattack, there were fresh concerns about the potential compromise of sensitive data belonging to wealthy collectors.

A subsequent investigation revealed that the breach began when a help desk employee at the auction house fell victim to a voice phishing scheme. The employee mistakenly granted a hacker, posing as an administrator, access to the personal data processing system of Christie’s.

“The help desk staff failed to follow identity verification procedures and reissued a password to the hacker, while also changing the phone number required for account access to one controlled ,” an official from the commission stated.

As a result, the personal information of 4,670 registered users, including 620 Korean members, was leaked to the hacker. The exposed data included names, nationalities, and addresses, as well as highly sensitive identifying information such as resident registration numbers, passport numbers, and driver’s license numbers.

Korean investigators further found that Christie’s had stored such sensitive data for identity verification purposes, but did so without encryption, raising further concerns about the potential for misuse of the compromised information.

Related News

Related Articles