Sotheby’s, a leading global auction house, experienced a data breach in July 2025 where an unknown threat actor exfiltrated sensitive employee information from its systems. The compromised data included full names, Social Security numbers (SSNs), and financial account details. The breach was detected on July 24, 2025, and a two-month investigation followed to identify the scope and affected individuals. Initially, reports suggested customer data was exposed, but Sotheby’s later clarified that only employee data was impacted. The company is providing affected employees with 12 months of free identity protection and credit monitoring via TransUnion. While no ransomware group has claimed responsibility, the incident underscores Sotheby’s history of cybersecurity vulnerabilities, including past web skimming attacks (2017–2018, 2021) and a 2024 breach at rival Christie’s by RansomHub. The exact number of affected employees remains undisclosed, with only four individuals confirmed in Maine and Rhode Island filings.
TPRM report: https://www.rankiteo.com/company/sothebys
"id": "sot3762037101725",
"linkid": "sothebys",
"type": "Breach",
"date": "6/2017",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '0 (only employees impacted)',
'industry': 'Auction House / Fine Art / Asset-Backed '
'Lending',
'location': 'Global (Headquartered in New York, USA)',
'name': 'Sotheby’s',
'size': 'Large (Handles $6 billion in annual sales)',
'type': 'Private Company'}],
'customer_advisories': 'None (incident limited to employees)',
'data_breach': {'data_exfiltration': 'Yes (data removed from Sotheby’s '
'environment)',
'personally_identifiable_information': ['Full names',
'Social Security '
'numbers (SSNs)'],
'sensitivity_of_data': 'High (SSNs, financial account '
'information)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data']},
'date_detected': '2025-07-24',
'date_publicly_disclosed': '2025-10-17',
'description': 'Major international auction house Sotheby’s detected a data '
'breach where threat actors stole sensitive employee '
'information, including full names, Social Security numbers '
'(SSNs), and financial account details. The breach was '
'discovered on July 24, 2025, and the investigation took two '
'months to determine the scope and impacted individuals. The '
'company is offering 12-month identity protection and credit '
'monitoring services to affected employees through TransUnion.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive employee data',
'data_compromised': ['Full names',
'Social Security numbers (SSNs)',
'Financial account information'],
'identity_theft_risk': 'High (SSNs and financial data exposed)',
'payment_information_risk': 'High (financial account information '
'exposed)'},
'investigation_status': 'Completed (as of 10/17/2025)',
'ransomware': {'data_exfiltration': 'Yes (confirmed)'},
'references': [{'date_accessed': '2025-10-17', 'source': 'BleepingComputer'},
{'date_accessed': '2025-10-17',
'source': 'Sotheby’s Public Statement'},
{'source': 'Maine Attorney General Office Filing'}],
'regulatory_compliance': {'regulatory_notifications': 'Filing submitted to '
'Maine’s Attorney '
'General office '
'(mentions 2 affected '
'individuals in Maine '
'and 2 in Rhode '
'Island)'},
'response': {'communication_strategy': 'Direct notification to impacted '
'individuals; public statement to '
'BleepingComputer (10/17/2025)',
'incident_response_plan_activated': 'Yes (immediately upon '
'detection)',
'law_enforcement_notified': 'Yes',
'recovery_measures': '12-month identity protection and credit '
'monitoring (TransUnion) offered to '
'affected employees',
'third_party_assistance': 'Yes (leading data protection and '
'response experts engaged)'},
'stakeholder_advisories': 'Notified impacted employees; public statement '
'issued',
'threat_actor': 'Unknown actor',
'title': 'Sotheby’s Data Breach Incident (2025)',
'type': 'Data Breach'}