Digital platforms have become essential to the art market, streamlining sales for galleries and auction houses but creating new cybersecurity challenges. As online transactions surge, threats from ransomware, phishing, and denial-of-service attacks have become persistent realities for art institutions. Sensitive client data, which often includes financial details and personal identification, has emerged as a prime target for cybercriminals. While some companies have implemented comprehensive protections, others, especially smaller galleries, struggle to keep up, frequently relying on external partners for data security. In this environment, both the art world and its clients have growing concerns about the safety of their digital assets.
Awareness of hacking incidents affecting the art market has gradually increased. Previous coverage of attacks in 2019 on Heritage Auctions and the 2020 breach at LiveAuctioneers underscored the vulnerability of both auction houses and online marketplaces. Repeated incidents have highlighted that not only large companies but also smaller businesses in the industry face similar risks, suggesting a widespread need for robust cybersecurity measures. Major breaches have often served as catalysts for expanding cyber insurance and introducing more advanced defenses across the sector, yet data protection practices continue to vary widely between organizations.
How Are Art Institutions Responding to Cyber Threats?
Art auction houses like Heritage Auctions and Eldred’s have adopted layered cybersecurity strategies, incorporating third-party payment processors and rigorous staff training to reduce risk. Heritage Auctions, for instance, managed to avoid ransom payments during a ransomware attack by leveraging secure backups. Their IT department monitors for phishing and A.I.-driven scams consistently, reflecting an approach where proactive defense has become part of everyday operations. As a spokesperson from Sotheby’s stated,
“We take proactive steps to safeguard our systems and data by regularly updating our security protocols and enhancing our monitoring capabilities to better protect our clients and their valuable information.”
What Risks Do Galleries and Smaller Organizations Face?
Smaller galleries typically lack dedicated IT staff, which makes them more susceptible to attacks and dependent on outsourced security services like Bidpath, Authorize.net, Stripe, and others. Their data protection can hinge on regularly updated software and diligent password maintenance, though these measures do not always prevent incidents. Hacket Cyber’s James Carroll highlighted that people in the art world often prioritize creative work over cybersecurity, suggesting an ongoing tension between business needs and data safety.
Can Cyber Insurance Mitigate the Impact of Data Breaches?
Cyber insurance has provided crucial support to businesses recovering from digital attacks, as seen when an art gallery secured a seven-figure payout for a business interruption claim. To qualify for such policies, organizations must implement features like firewalls, dual-identification systems, and careful verification of vendor information. Despite these safeguards, events such as the Christie’s ransomware case in May 2024 have shown that breaches can still result in significant payouts and legal settlements, prompting continued vigilance from industry stakeholders. As Kinsey Robb from the Art Dealers Association of America emphasized,
“Our focus at the ADAA is on education and timely information-sharing, helping galleries stay alert to evolving risks and contributing to broader conversations around internal protocols, staff training and cyber insurance as part of sound risk management.”
The increase in cyberattacks on auction houses, galleries, and museums signals a permanent shift in art market operations. As digital commerce becomes entrenched in the art world, institutions face ongoing pressure to strengthen their cyber defenses, invest in insurance, and improve staff awareness. Awareness of increasingly sophisticated threats—such as A.I.-driven attacks—underscores the need for continuous adaptation. For anyone involved in the buying or selling of art, understanding how personal data is stored and protected is critical. Regular updates to cybersecurity protocols, use of third-party services with strong reputations, and employee training form the backbone of best practices in defending against data breaches. Clients should not hesitate to inquire about cybersecurity measures before sharing personal information or engaging in high-value transactions. Taking these steps can help ensure that art enthusiasts, dealers, and institutions alike maintain trust and resilience in a digital landscape.
