Introduction: Experts Reveal Glaring Cybersecurity Gap Allowing Precise Artwork Location Data to be Published
A significant cybersecurity vulnerability has been uncovered by German information security experts within the renowned auction house Christie’s safeguards. This flaw allowed the precise location data of artworks belonging to numerous consigners to be inadvertently disclosed on the auction house’s website. The revelation highlights a concerning lapse in security that could have serious implications for the privacy and security of valuable artworks.
Exposing the Precise Location Data
The cybersecurity experts, Martin Tschirsich and André Zilch from the German cybersecurity research company Zentrust Partners, discovered a flaw in Christie’s cybersecurity measures. They found that location data obtained through GPS coordinates was so accurate that it could pinpoint the exact location where a photo was taken, thereby revealing the storage location of the corresponding artwork.
Magnitude of the Issue
Tschirsich and Zilch reported that approximately 10% of the images uploaded to Christie’s website contained exact GPS coordinates. This means that a significant portion of consigners’ artworks could potentially be located with alarming accuracy, raising concerns about privacy and security.
Discovery and Notification
The experts found that when individuals aspiring to consign artworks uploaded images to Christie’s website for potential sales, GPS information was often embedded in the photographs. Tschirsich and Zilch notified Christie’s about the vulnerability in June, drawing attention to the potential security breach. However, it reportedly took until Tuesday for Christie’s to address and rectify the issue.
Offer of Assistance and Response
In an unexpected twist, Tschirsich and Zilch offered to assist Christie’s in resolving the vulnerability without charge. However, an unnamed executive from Christie’s reportedly declined their offer, stating that they did not require external assistance and that the matter was being dealt with internally.
Unusual Reaction and Past Experiences
The reaction from Christie’s was unexpected for cybersecurity researchers like Tschirsich and Zilch, who are accustomed to companies engaging with them to address vulnerabilities. While many organizations pay cybersecurity experts to identify and rectify security gaps, Christie’s approach appears distinct in not actively promoting such engagement.
Tschirsich and Zilch have previously volunteered their expertise to address vulnerabilities. They have been involved in securing patients’ health data in Germany and contributed to revealing critical issues within election software.
Immediate Exploitation and Delayed Resolution
The duo turned their attention to Christie’s after being approached by an acquaintance about the security of the auction house’s services. They swiftly identified the serious vulnerability, emphasizing its simplicity and ease of exploitation through any web browser. Despite being informed in June, Christie’s did not address the vulnerability until their response to inquiries from the media.
Christie’s Response and Resolution
In response to the situation, Christie’s stated that client privacy is a top priority and that they maintain a robust information security program. This statement was consistent with their response to media outlets. The auction house asserted its commitment to safeguarding client information and reassured clients that their security measures are regularly assessed.
Conclusion
The cybersecurity lapse discovered by German experts at Christie’s underscores the critical need for meticulous security measures in the art world. The revelation of such a vulnerability, which could compromise the privacy and security of valuable artworks, highlights the complex challenges faced in protecting sensitive information within digital platforms. The incident also raises questions about the responsiveness of institutions to external assistance in resolving security issues.
Feature image Courtesy: PROFILEnyc
Contributor
