For instance, in 2023, a cyberattack on Christie’s disrupted their website just as the auction house was preparing for a major sale, exposing the industry's vulnerability. The following year cyberattacks on Gallery Systems and Christie’s was further evidence of hackers’ ability to exploit weaknesses in the cyber defences of a leading collections management software system and auction house website. Some of the premier US museums — including the Smithsonian, Museum of Fine Arts Boston, and Crystal Bridges Museum of American Art — have also suffered security breaches, raising concerns about data protection and financial fraud.
These incidents are part of a broader trend. According to the 2024 edition of the Hiscox Cyber Readiness Report, businesses across industries are experiencing a surge in cyberattacks, with financial losses climbing year over year. For art institutions and art businesses alike, the stakes are particularly high: a single breach can result in stolen artworks, fraudulent transactions, and reputational damage that may take years to repair.
As cyber threats to the art industry mount, it is critical for art companies and institutions to invest in cybersecurity resilience. This article explores key protective measures that can be taken, cybersecurity best practices, and proven strategies to safeguard your organization against cyberattacks.
Vulnerability Assessment
Vulnerability assessments are an essential starting place to measure an organization’s readiness to deal with potential cyberattacks. The assessment process allows the organization to evaluate their level of cyber readiness before planning a strategy to address vulnerabilities and mitigate risks.
An assessment should begin by understanding which data is most sensitive for the organization and the potential consequences of that data being compromised. The second stage in the process involves analyzing any system or platform weaknesses and assessing employees’ knowledge of cyber-security best practices. It is also vital to examine the potential threats emanating from third parties.
Protecting Sensitive Data
In the art industry, certain types of data are considered sensitive. For online art auction platforms and marketplaces, these involve the personal and financial information of buyers, sellers, and consignors such as names, phone numbers, email addresses, bank and payment details, and physical addresses of buyers where any purchased artworks will be shipped to. Since auction specialists spend a great deal of time courting and building relationships with potential consignors and wealthy collectors, protecting their personal and financial data is vital to the health and value of these client relationships.
Art collection management platforms must also protect valuation data, insurance details, acquisition records and personal information about artists and private collectors. Another important data aspect that must be carefully guarded is pricing information, as galleries and dealers may track several different prices for the same artwork based on preferential treatment to certain clients. If this information is compromised, it could adversely impact the prized dealer-collector relationships on which the success of many art galleries depends.
Additionally, it is vital to secure certain contextual information about artworks in a collection or about the artists that a gallery represents, such as historical ownership records of artworks, private waiting lists for an individual piece, any pre-existing concerns over an artwork’s authenticity, and contractual and financial arrangements with artists.
For museums and cultural institutions, the digitization of their assets has introduced new cybersecurity challenges. As these organizations work to make their collections more accessible online, they can also inadvertently expose themselves to cyberattacks directly or via critical third-party systems they depend on. Attackers can probe these systems to identify and exploit vulnerabilities within them, causing a ripple effect across any institutions using these systems. This is how the Museum of Fine Arts Boston, the Crystal Bridges Museum of American Art in Arkansas, New York’s Rubin Museum of Art and many other museums were all impacted by the same cyberattack on Gallery Systems in 2023. That very same year, an attack on the British Library by Rhysida resulted in the ransomware group leaking stolen data after the library refused to pay their ransom demand.
Another growing concern is the security of donor data. Since many museums and cultural institutions rely on philanthropic contributions, cybercriminals see them as valuable sources of intelligence about wealthy individuals and major donors. If this data falls into the wrong hands, it could be used to target high-net-worth individuals for financial fraud or other forms of cyber exploitation.
Examining Internal Risks
Security Code Review
The goal of a security code review is to identify potential weaknesses and flaws in the software code being used by online art platforms. While some industries mandate secure code reviews as part of their compliance requirements, any online art platform or marketplace would be wise to perform this review to ensure a secure environment. Some of the primary focus areas for a security code review include authentication, authorization, data validation, data encryption, and error handling.
Ideally, “assessing software code for flaws that may compromise system security should be a regular, ongoing activity that is built into the software delivery process for the platform,” says Denis Chernobrovkin, Delivery Manager in DataArt’s Media & Entertainment practice, who has first-hand experience helping art industry clients conduct security code reviews. DataArt’s approach to helping clients secure their online platforms and digital solutions includes advising clients on best development practices to ensure high quality code and safe handling of user data, which mitigate security risks and limit the threat of attacks through data exposure and manipulation.
The security code review process can be conducted either manually or through automated tools, but it is advantageous to choose the manual route as the chances of detecting all issues with this method is higher. Always ensure that those who are reviewing the code are well-versed in the language used to program the application, knowledgeable about the best secure coding practices, and aware of the entire business context of the platform.
Cloud Security Audit
Art businesses are increasingly leveraging the power of cloud services to secure and manage their data assets. A cloud security audit aims to find security gaps and identify issues not yet addressed, and to verify that the implemented security controls are in line with the company’s policies. A cloud security audit is used to analyze the infrastructure and processes being used by a platform. One of the primary components of this assessment is access management to ensure a comprehensive understanding of who can access the cloud services and the specific levels of access for each user type. Additionally, the assessment is used to determine appropriate alarms for the specific data being collected and/or stored, thereby implementing safety guards to catch illicit activity before it is too late to stop it.
Some of the other components of a cloud security audit include assessing the integrity of the application and related infrastructure, the architectural design and hosting strategy, reliability, data privacy, encryption practices, and data retention policies. These assessments can also flag lapses in keeping servers and operating systems up to date with the most recent bug fixes and security patches, a basic but essential step in hardening a platform’s infrastructure against cyberattacks and zero-day vulnerabilities.
Large-scale, cloud-hosted digital installations like the Van Gogh exhibit require robust cloud security as they rely on real-time interactivity, seamless data streaming and online access making them high value potential targets for cyberattacks. Without strong security measures, an attack on a cloud-based exhibition platform could result in disruptions, unauthorized content manipulation, or even data breaches exposing user information. For example, a cybercriminal gaining access to the system could alter digital artwork presentations, introduce malicious content, or compromise payment and customer data.
Security Consulting
The reality is that many organizations, particularly in the traditional art world, do not have the necessary in-house expertise or resources to ensure a secure digital environment. By consulting with external security experts, organizations can be certain that every detail of its application has been effectively analyzed and secured against all potential vulnerabilities and cyberattacks. And while such consulting services come at a cost, using an external company is often much cheaper in the long run than facing the consequences of a data breach or a ransomware attack, which can lead to devastating financial losses and grave reputational damage.
Penetration Testing
The aim of penetration testing is to simulate a cyberattack to identify any exploitable vulnerabilities while determining the ability of a system and team to handle an attempted attack with minimal consequences. Once the simulation has been planned, the next step is to analyze how a target application responds to various types of attempted intrusions. Once this has been completed, any vulnerabilities found are put through every conceivable hack to determine the level of potential damage that could be caused in a real attack. Finally, the penetration testing team will attempt to maintain access via the vulnerabilities identified to determine if a long-term presence from hackers is a possible outcome.
Reimagining Cultural Engagement: The Digital Transformation of Museums
Learn MoreSocial Engineering Test
Recent data suggests that ransomware attacks targeting cultural institutions are on the rise. In 2024, Heritage, a major auction house, reported experiencing over 3,000 cyberattack attempts daily, with certain high-profile auctions being probed up to 10,000 times per second. These attacks frequently begin with phishing emails containing malware, highlighting the importance of employee training. Regular internal phishing simulations, like those conducted at Heritage, help assess staff vulnerability and reinforce security protocols.
Organizations can prepare for such threats by increasing social engineering awareness through ongoing education, internal phishing tests, and vendor security monitoring. Since employees remain the most common entry point for attackers, strengthening human defenses is just as critical as implementing technical safeguards.
Another way to increase the level of social engineering awareness is simulating a phishing attack. To conduct social engineering testing effectively, the cybersecurity team must try to think like a hacker to ensure an accurate simulation. The first attempt is to get malicious code past the set parameters so that opening an email attachment will release malware into the system. Phishing emails are often also intended to collect credentials from users to save for future attacks. The team might try a variety of phishing attacks, from simplistic and seemingly obvious messages to more complex and customized alternatives. Once the test is complete, the cybersecurity team analyzes click rates, login numbers, and flagging instances to determine the most effective ways for the application owners to improve their security practices to protect their environment for the future.
Establish Cybersecurity Protocols
Security Assurance Program
It is vital to embed security in all applications from the outset to ensure that the development process and solution conforms to a client’s security standards and compliance requirements. A security assurance program also guarantees that a solution is implemented according to security best practices and that it is sufficiently protected from relevant threats and attackers.
This program focuses on preventing the unauthorized disclosure of sensitive information, ensuring the accuracy and integrity of data, and making sure information will be available when needed. Additionally, this process includes the analysis of an application’s architecture, security controls, and event management.
Compliance Management
Security compliance aims to gain a complete understanding of both the current and future security standards and cyber regulations to ensure full compliance by staff and partners in every component of a system. This process includes cyber risk management, security and regulatory compliance, third-party risk assessment, and cyber insurance management.
In the US, a New York law originally passed in 2005 and updated in 2013 mandates that businesses disclose any data breaches to the state attorney general’s office, state police, and Division of Consumer Protection, along with notifying affected customers. The European Union's General Data Protection Regulation (GDPR), effective since 2018, imposes strict requirements for handling personal data and mandates that businesses report breaches within 72 hours.
Despite these regulations, transparency about cybersecurity breaches remains inconsistent, with many incidents not being publicly disclosed. This lack of visibility makes it challenging for art buyers and sellers to assess the cybersecurity risks associated with auction houses and online art platforms. Art businesses must not only comply with data protection laws but also proactively communicate their security measures to build trust with their clients.
To ensure full compliance with evolving data protection laws, art businesses must also carefully assess where and how their data is stored, particularly when relying on third-party cloud services. These days, virtually everything is stored in the cloud. It is essential to review all third-party cloud contracts to understand precisely where data is being stored to facilitate compliance with the data laws in each specific location. For example, some countries require a copy of all data stored within their zone of governance. Not being aware of regulations of this type can lead to non-compliance and associated problems in the future.
Evaluation of External Risks
The most common external cybersecurity risks originate from third parties. There are many situations where a company has put sensitive information in the hands of a third-party organization, such as an integrated payment system provider, so it is important to analyze the potential vulnerabilities that companies can be exposed to via third party integrations.
A notable example is the case of Gallery Systems mentioned earlier, whose software disrupted several museum websites, including eMuseum, which allows visitors to browse online collections. Curators were also unable to access critical information from a system containing donor names, loan agreements, provenance records, and storage locations for priceless artworks. While some institutions like the Metropolitan Museum of Art and the Whitney Museum of American Art were unaffected because they hosted their own databases, the Museum of Fine Arts, Boston saw its digital collection page go down, though internal data remained safe.
To mitigate the risks highlighted by third party vulnerabilities, it is crucial to ensure that cybersecurity protocols are clearly outlined and agreed upon in all business contracts. It is vital for contracts to explicitly define all cybersecurity responsibilities between parties to avoid potential vulnerabilities from being exploited because one side expects the other side to handle them.
Besides third party contract reviews, it is equally important to assess the security practices of potential partners to ensure they align with your organization’s standards for protecting sensitive data. Be sure to study their policies and preventative measures to determine the quality and care of these practices and always check their policy on security breaches to understand what steps they will take if a security breach arises.
Many auction houses outsource their cybersecurity to specialized companies. For instance, Grogan and Company relies on cybersecurity insurance and partners with a local IT firm while hosting their website with Invaluable. Drouot, an auction house in France, follows PCI DSS standards and ensures close monitoring of data security. Auction houses often contract with third-party platforms like Bidsquare, Proxibid, or LiveAuctioneers, which segment client data across separate networks, making it harder for hackers to compile complete information. These platforms also use private cloud systems, reducing vulnerability to risks associated with public cloud environments.
AI in Cybersecurity
According to Hiscox Cyber Readiness Report 2024, a growing number of art organizations are leveraging AI and other advanced technologies to improve efficiency: 70% of organizations have already integrated generative AI or GenAI into their operations, with over half (56%) believing AI can significantly impact their cybersecurity risk profile.
While AI can be exploited by cybercriminals — such as using large language models to generate highly convincing phishing emails — it also plays a critical role in defense. SOAR (security orchestration, automation, and response) systems integrate AI-driven tools to detect, analyze, and mitigate threats in real time, reducing response times and strengthening security protocols. Additionally, AI-powered threat analysis enables organizations to identify vulnerabilities, reconstruct attack patterns, and develop more advanced encryption and access control strategies.
Working with Cybersecurity Providers
To avoid the potential devastation resulting from data leaks, ransomware attacks and cyberattacks, it is highly advisable to utilize the services of a cybersecurity provider. Through our work at DataArt, we have seen countless cases where data breaches could have been prevented if the organization had used the services of a firm like ours to analyze and shore up their cyber defenses before an attack was launched. In helping an organization to detect and respond to evolving cyber threats, a cybersecurity provider can save a company significant sums of money overall, protect their reputation, and ensure their systems and their business continue to operate without security related disruptions.
As the digital transformation of the art industry accelerates and online art marketplaces continue to grow in popularity, the frequency and scale of cyberattacks on the industry must be given proper attention. It is critical for art market players to implement effective cybersecurity strategies before a major cyberattack inevitably occurs. Security breaches can be catastrophic events, typically costing massive amounts of money, often destroying an organization’s reputation, and potentially sending shockwaves through an entire industry. That is why it is essential to make every effort to implement comprehensive cybersecurity practices early on, thereby ensuring compliance with industry and governmental standards, while keeping data secure and trustworthy reputations intact.
