Sotheby’s has confirmed a data breach following unauthorized access to its internal systems, exposing sensitive personal information belonging to clients.
The breach happened on 24 July 2025, and was discovered two months later, on 24 September. An investigation led by external forensic specialists found that an unknown actor had exfiltrated internal data.
The review process, downloading, cataloging, and analyzing the stolen files, ended in late September.
While Sotheby’s has not disclosed how many individuals were affected, the compromised data possibly includes names, Social Security numbers, and financial account details. Only two Maine residents are confirmed among the victims, though the there may be many more.
Founded in 1744, Sotheby’s is one of the world’s most established auction houses, dealing in art, jewelry, and high-value collectibles. Its prominence and digital footprint make it an attractive target for bad actors.
The firm started notifying those affected on 15 October, nearly three months after discovering the attack.
Sotheby’s said the malefactors broke in despite “administrative and technical safeguards in place”.
It also said it regularly patches systems, tests its internal incident response plans, back up critical services, vets its vendors, and trains its workforce to ensure security is built into how it works every day.
“As part of our ongoing commitment to the privacy of information we will continue to review these safeguards and consider further enhancements to ensure the ongoing safety of information on our systems,” the letter reads.”
Specific details of the intrusion, such as entry points or exploited vulnerabilities, remain undisclosed.
No ransomware group has claimed responsibility or listed the company on dark web leak sites.
To help mitigate risk, Sotheby’s is offering 12 months of identity and credit protection through TransUnion, including fraud monitoring and identity restoration services. Clients are also being urged to remain alert for signs of unauthorized activity in their financial accounts.
John Carberry, CMO at Xcape Inc, commented: “The recent Sotheby’s breach underscores the fact that even organizations with seemingly robust security measures can be exploited by skilled adversaries. The leak of Social Security numbers and financial information is especially concerning, as it increases the risk of identity theft and financial crimes for those affected.”
He said: “It is worth noting the irony in a similar ransomware situation at Christie’s last year. In that incident, the cyber criminals did not leak the data but rather auctioned it to a private buyer. These incidents emphasize the importance of a multi-layered security approach, swift detection methods, thorough management of third-party risks, and preventative measures. Openness and prompt communication will be crucial in preserving client and stakeholder trust.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.