Throughout the art world, the provenance of certain pieces is always top of mind. And recently, Christie’s was unintentionally offering up that information—or at least some version of it.
The British auction house apparently allowed anyone online the opportunity to see where certain artworks were being stored, The Washington Post reported on Monday. The flaw was identified by two cybersecurity researchers, Martin Tschirsich and André Zilch. And while the pair alerted Christie’s to the problem more than two months ago, it seems like the company took steps to rectify it only recently.
“Unfortunately, it only took us a few minutes to come across this serious vulnerability,” Tschirsich told the Post. “The vulnerability is so simple that it can be exploited by anyone with a browser within a few minutes.”
Christie’s allows potential sellers to upload images of artwork that the auction house will evaluate, estimating the pieces’ value and deciding whether it’s interested in putting them under the hammer. But those photos can include the GPS coordinates of where they were taken, with the researchers estimating that about 10 percent of the Christie’s images had that precise geolocation. In all, they say that hundreds of possible clients were exposed to the flaw.
For its part, Christie’s declined to answer questions from The Washington Post, and it would not confirm Tschirsich and Zilch’s findings. “We continuously assess our security safeguards, thoroughly address issues relating to the security of our clients’ information, and comply with our legal and regulatory obligations,” the company said in a statement. However, it seems like Christie’s only fixed this specific vulnerability after the newspaper reached out about the issue. An executive at the auction house had declined the researchers’ help in resolving the problem around June. The researchers told the Post that they were not looking for a bounty for having found the issue.
While Christie’s has been aware of the issue since then, it’s not clear whether the company has alerted any of its potential clients to the problem. The Post spoke with a German professor who had uploaded images to its website, and he said that the auction house had not yet reached out to him. He only found out about the issue when the outlet got in touch with him.
“Especially with a renowned house like Christie’s,” he said, “I would not have expected that.”