Christie’s Fined $193,600 for Data Breach Affecting South Korean Customers
British auction house Christie’s has been fined 287 million won ($193,600) by South Korea’s Personal Information Protection Commission (PIPC) following a data breach that exposed the personal information of 620 South Korean members. The leaked data included names, addresses, and resident registration numbers.
The breach occurred after a Christie’s employee granted unauthorized access to the company’s personal information processing system to a malicious actor. The PIPC criticized Christie’s for failing to implement adequate security measures, such as encrypting customer data, and for delaying notification of the incident beyond the mandatory 72-hour reporting window.
The fine underscores regulatory scrutiny over data protection failures, particularly in cases involving sensitive personal information. The incident highlights vulnerabilities in third-party access controls and the importance of timely breach disclosures under privacy laws.
Christie's cybersecurity rating report: https://www.rankiteo.com/company/christies
"id": "CHR1775702796",
"linkid": "christies",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '620 South Korean members',
'industry': 'Art and Auction',
'location': 'United Kingdom',
'name': 'Christie’s',
'type': 'Auction House'}],
'attack_vector': 'Unauthorized Access',
'data_breach': {'data_encryption': 'No (data was not encrypted)',
'number_of_records_exposed': '620',
'personally_identifiable_information': 'Names, addresses, '
'resident registration '
'numbers',
'sensitivity_of_data': 'High (resident registration numbers)',
'type_of_data_compromised': 'Personal Information'},
'description': 'British auction house Christie’s was fined 287 million won '
'($193,600) by South Korea’s Personal Information Protection '
'Commission (PIPC) following a data breach that exposed the '
'personal information of 620 South Korean members. The leaked '
'data included names, addresses, and resident registration '
'numbers. The breach occurred after a Christie’s employee '
'granted unauthorized access to the company’s personal '
'information processing system to a malicious actor.',
'impact': {'brand_reputation_impact': 'Regulatory scrutiny and reputational '
'damage',
'data_compromised': 'Names, addresses, resident registration '
'numbers',
'financial_loss': '$193,600 (fine imposed)',
'identity_theft_risk': 'High (resident registration numbers '
'exposed)',
'legal_liabilities': 'Fine imposed by PIPC',
'systems_affected': 'Personal information processing system'},
'initial_access_broker': {'entry_point': 'Employee granted unauthorized '
'access'},
'lessons_learned': 'Importance of encrypting customer data, timely breach '
'notifications, and robust access controls.',
'post_incident_analysis': {'corrective_actions': 'Enhanced security measures '
'(not specified)',
'root_causes': 'Inadequate security measures, lack '
'of data encryption, delayed breach '
'notification'},
'recommendations': 'Implement data encryption, enforce strict access '
'controls, and ensure timely breach disclosures.',
'references': [{'source': 'Personal Information Protection Commission '
'(PIPC)'}],
'regulatory_compliance': {'fines_imposed': '287 million won ($193,600)',
'regulations_violated': 'South Korea’s Personal '
'Information Protection Act',
'regulatory_notifications': 'Delayed beyond '
'mandatory 72-hour '
'window'},
'response': {'communication_strategy': 'Delayed notification beyond mandatory '
'72-hour window',
'remediation_measures': 'Enhanced security measures (not '
'specified)'},
'title': 'Christie’s Data Breach Affecting South Korean Customers',
'type': 'Data Breach',
'vulnerability_exploited': 'Inadequate access controls, lack of data '
'encryption'}