As Auctions Go Digital, Hackers Set Their Sights On Buyers’ Data

How safe is your information once it's with an auction house?

(Illustration: Carlos Zamora)
(Illustration: Carlos Zamora)

Auction bidders know the drill: You look through an auction catalogue and find something that’s a must-have. You make a decisison on how high to go, how much desire for the object overwhelms price concerns—the pulse-racing stuff of being a collector. Then, there is the business of registering to bid: Name, address (or addresses, of multiple homes or art-storage facilities) job, bank and checking account information, credit card number, social security number, passport number—all to be kept on some computer file.

Sign Up For Our Daily Newsletter

By clicking submit, you agree to our <a rel="nofollow noreferer" href="">terms of service</a> and acknowledge we may use your information to send you emails, product samples, and promotions on this website and other properties. You can opt out anytime.

See all of our newsletters

Maybe this is the time when your pulse should be racing.

In the past couple of years, hackers have seized confidential client information at Home Depot, Target, JP Morgan Chase, Anthem Blue Cross, Sony Pictures, Staples, Michaels and Community Health Systems, to name just a few. Just last year, eBay’s network was breached, allowing hackers to gain access to the name, address, date of birth, telephone number, email address and encrypted password of some 233 million account holders worldwide. The online auctioneer itself only discovered that its security had been compromised two or three months after the fact. FBI agents and the private Internet security firm hired to examine the breach continue to say that their investigation of what took place and who was responsible for it is “ongoing.” And, according to an FBI spokeswoman, data breaches have been a particularly “big issue in auto auctions.”


Use complicated passwords, don’t share them with your own employees, art dealers or consultants, and change them often.

Consider basing your passwords on a personal sentence, as in: ‘Joan wants to go to Australia for our honeymoon,’ which would become JW2G2A4OH.

Wipe cell phones and computers of personal data before disposing them.

Ask the auctioneer about data protection measures, encryption and incidents
of hacking.

Never use your social security number as part of your ‘pin.’

Provide only one credit card for payment.

Ask that a verbal password be added to your auction account, so anyone requesting information or bidding on your behalf must know that word.

according to the company’s senior vice-president Kerry Shrives. “It didn’t impact our business. We got in touch with all the bidders by phone, and the sale took place,” she noted.

A security breach in the past year at Leslie Hindman Auctioneers in Chicago, referred to as a “ransom Trojan,” also was a general attack, not targeted at client information. “The offender was locking our files and holding them ransom, seeking monetary compensation in the form of Bitcoins,” said Justin Bersuder, director of technology.

“We didn’t feel comfortable negotiating or giving in to their requests, so we declined and restored our files to an earlier backup and the threat was removed.”

Both houses said little damage was done. “Overall we lost about one day of normal business operations,” said Mr. Bersuder, while at Skinner the sale went off without a hitch.

But auction bidders may be more vulnerable to hackers because of the large amount of information they disclose to auction houses, and because their own employees, art dealers or consultants often complete transactions on their behalf.

So auctioneers are being increasingly careful. At Drouot, the online auction house in Paris, France, the company never has “had any successful hacking attempts that we know of,” said Christopher Pourtale, chief technology officer, “but individual clients have been hacked.” The usual reasons, he said, were that their customer passwords were weak and easily discovered by “someone sniffing around” or that the client had used a “public computer” that gave another person access. When Drouot discovers instances of an unauthorized user, staff “close the account and start a new one with a stronger password.”

Indeed, clients can be the weak links in cyber security, and so can their employees (who post their passwords onto their computer monitors or lose their company laptops) and third-party vendors. The hackers who broke into Target did so by stealing the network credentials of a Philadelphia-based refrigeration, heating and air conditioning subcontractor. That same company also had done work for BJ’s Wholesale Club, Trader Joe’s and Whole Foods.

All that sensitive information that bidders provide auction houses needs to be encrypted. But judging the degree to which that information is adequately encrypted probably is beyond most auction buyers. A free online analysis of many companies’ (including auction houses’) encryption is offered by Qualys SSL Labs of Redwood, Calif., which rates Heritage Auctions an “A,” Sotheby’s and Christie’s “B,” Swann Galleries “C,” and a handful of others “F.”

A 2005 New York State law, updated in 2013, requires individuals and companies doing business in New York to disclose any breaches of computerized data to the state attorney general’s office, as well as to the state police and Division of Consumer Protection, as well as to notify affected customers. However, that information on which companies have had data security breaches is not made publicly available, and consumers can be left to do their own research.

Many auction houses handle the IT problem by not handling it themselves. “We don’t keep information in our system,” said Gene Shannon, president of Shannon’s Fine Art Auctioneers in Greenwich, Conn. “We dump it all after someone registers,” but dumping doesn’t mean that it is deleted or erased. Rather, it is stored elsewhere, in this case with Invaluable, the Boston-based online bidding platform that is used by dozens of auction houses.

Many auction houses rely on third-party operations, such as Bidsquare, Proxibid, LiveAuctioneers and Invaluable, to register prospective buyers for sales and provide the channels for remote bidding. “We outsource all our IT,” said Lucy Grogan, vice-president of Grogan & Company in Boston.

Invaluable has “never had a security breach,” according to D.J. Charles, the company’s chief technology officer, and all bidder information “is safely stored in a strong-encrypted format with ChasePaymentech,” a leading credit card processing company established in 1985. He noted that all client information is “segmented” into different areas, so that “even if data were intercepted by a breach it would be difficult to access reassemble” for a hacker, and that the company has its own private cloud computing system, “so we’re not susceptible to risks on the public clouds.”

(Illustration: Carlos Zamora)
(Illustration: Carlos Zamora)

Jason Nielsen, senior vice-president of operations at Proxibid, which is headquartered in Omaha, Neb., and works with approximately 3,000 vendors, including some noted auctioneers, said that his company does “a fair amount of educating sellers on the importance of securing and storing client information. I think there is still work to be done.”

Good systems are all fine and good, but hackers spend their time trying to get around them. Just by being a big holder of sensitive financial information in fact would make Invaluable and other online bidding platforms a target for hackers. “Once you start bragging about never being hacked, it’s like a red flag in front of a bull,” said Paul Minshull, chief operating officer at the Dallas-based Heritage Auctions. “You challenge the hackers and they dedicate their lives to proving you wrong.”

While noting that Heritage’s network has “never been breached for a loss of confidential information,” Mr. Minshull stated, “we have more than 3,000 attacks on our computer system every day. These are attempts to access our network. Recently, someone from Russia registered 40 times with 40 different email addresses, copying pages from our catalogues using a robot to scrape our prices realized. We blocked their access and they finally gave up.”

Four employees monitor the auctioneer’s network full-time, and the company also has software watching “for hackers trying to access the network, and filtering through user activity,” he said. When a collector known to Heritage changes his or her email address or bids at a higher level than usual, other software triggers an automatic alert, and “we can stop someone from bidding online with the push of a button, if necessary.”

Ironically, art collectors’ very wealth may protect them. “Data breaches are a numbers game,” said John Mullen, a lawyer with Lewis Brisbois Bisgaard & Smith LLP in Philadelphia whose specialty is data privacy and network security. “Bad guys prefer a million credit card numbers than information on 100 billionaires.”

As Auctions Go Digital, Hackers Set Their Sights On Buyers’ Data