In July 2025, Sotheby's, a globally renowned auction house, suffered a significant data breach orchestrated by a cybercriminal known as 'm217'. The breach involved the unauthorized removal of sensitive personal and financial data, including names, Social Security numbers, and financial account information of an undetermined number of clients. The threat actor publicly claimed responsibility on the dark web as early as May 23, 2025, while Sotheby's completed its internal review by September 24, 2025 and began notifying affected individuals via mail on October 15, 2025. The incident was also formally disclosed to the Maine and Massachusetts Attorney Generals' offices. The exposure of such highly sensitive data poses severe risks, including identity theft, financial fraud, and long-term reputational harm to both the company and its clients. Sotheby's offered 12 months of free credit monitoring to impacted individuals, but the breach’s scale and the nature of the compromised data suggest profound operational and legal repercussions, with law firms already investigating potential class-action lawsuits for compensation.
Source: https://www.claimdepot.com/investigations/sothebys-data-breach-2025
TPRM report: https://www.rankiteo.com/company/sothebys
"id": "sot1793317101625",
"linkid": "sothebys",
"type": "Breach",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Unknown number of individuals',
'industry': 'Fine Art, Luxury Goods, Collectibles',
'location': 'New York City, USA (HQ); global presence '
'in 40+ countries',
'name': "Sotheby's",
'type': 'Auction House / Luxury Marketplace'}],
'customer_advisories': 'Mailed notifications sent to impacted clients on '
'2025-10-15, including offers for free credit '
'monitoring and steps to mitigate identity theft '
'risks.',
'data_breach': {'data_exfiltration': "Yes (confirmed by threat actor's dark "
'web post)',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': ['Name',
'Social Security '
'number',
'Financial account '
'information'],
'sensitivity_of_data': 'High (includes SSNs and financial '
'account information)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data']},
'date_detected': '2025-07',
'date_publicly_disclosed': '2025-10-15',
'description': "Sotheby's, a global auction house, discovered in July 2025 "
'that sensitive personal and financial data had been '
"exfiltrated by a cybercriminal known as 'm217'. The breach "
'was publicly disclosed in October 2025, with notifications '
'sent to affected clients. The compromised data included '
'names, Social Security numbers, and financial account '
"information. Sotheby's offered 12 months of free credit "
'monitoring to impacted individuals and reported the incident '
"to the Maine and Massachusetts Attorney Generals' offices.",
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive client data',
'data_compromised': ['Name',
'Social Security number',
'Financial account information'],
'identity_theft_risk': 'High (due to exposure of SSNs and '
'financial data)',
'legal_liabilities': 'Potential lawsuits and compensation claims '
'from affected individuals',
'payment_information_risk': 'High (financial account information '
'exposed)'},
'initial_access_broker': {'data_sold_on_dark_web': "Yes (claimed by 'm217' in "
'May 2025 post)'},
'investigation_status': "Ongoing (led by Shamis & Gentile P.A.; Sotheby's "
'internal review completed by 2025-09-24)',
'recommendations': ['Enroll in the 12 free months of TransUnion Cyberscout '
"credit monitoring services offered by Sotheby's.",
'Monitor financial statements regularly for suspicious '
'activity or unauthorized transactions.',
'Place a fraud alert with credit bureaus to prevent '
'unauthorized account openings.',
'Request free annual credit reports from major credit '
'bureaus.',
'Seek legal counsel to understand rights and potential '
'compensation eligibility.'],
'references': [{'source': 'Shamis & Gentile P.A. Investigation Notice'},
{'source': "Sotheby's Client Notification (2025-10-15)"},
{'source': "Dark Web Post by Threat Actor 'm217' "
'(2025-05-23)'}],
'regulatory_compliance': {'legal_actions': 'Potential lawsuits from affected '
'individuals (investigation '
'ongoing by Shamis & Gentile P.A.)',
'regulatory_notifications': 'Maine and '
'Massachusetts Attorney '
"Generals' offices "
'(notified on '
'2025-10-15)'},
'response': {'communication_strategy': 'Client notifications via mail '
'(starting 2025-10-15); disclosure to '
'Maine and Massachusetts Attorney '
"Generals' offices",
'incident_response_plan_activated': 'Yes (review completed by '
'2025-09-24)',
'remediation_measures': 'Offered 12 months of free TransUnion '
'Cyberscout credit monitoring to '
'affected clients'},
'threat_actor': 'm217',
'title': "Sotheby's Data Breach (2025)",
'type': 'Data Breach'}