Christie's Client Sues on Behalf of 500,000 Class Members Over Ransomware Event

Maroulis and class members’ sensitive personally identifiable information (PII) – which they entrusted to Christie’s on the “mutual understanding” that the defendant would protect it against disclosure – “was targeted, compromised and unlawfully accessed” in a May 9 ransomware attack on Christie’s IT network, said the complaint.

The defendant began notifying customers Thursday about the cybersecurity incident, saying an “unauthorized third party had managed to gain access to Christie’s IT network for a limited period of time.” It “worked to revoke all access, isolate our systems, and ensure that our network was secure,” said the notice. During the attack, the third party downloaded a “limited amount of client data from Christie’s internal client verification system,” it said.

Affected data included photo IDs that individuals provided to Christie’s for its client verification procedures, name, gender, birthdate and place, driver’s license and passport numbers and the machine-readable code at the bottom of the identity page in the front of a passport, the complaint said. Christie's notice didn’t identify the cybercriminals, the root cause of the breach, the vulnerabilities exploited or the remedial measures undertaken to prevent a future breach; ransomware group RandsomHub took credit for the attack, the complaint said.

The notice letter didn’t say whether Christie’s undertook any efforts to contact the half million affected class members to find out if they suffered misuse of their data, whether they should report the misuse to the defendant or whether it set up any mechanism for them to report misuse of their data, the complaint said.

Christie’s had obligations to keep Maroulis’ and class members’ PII confidential and to protect it from unauthorized access and disclosure under the FTC Act, contract and common law, and industry standards, alleged the complaint. The defendant didn’t use reasonable security procedures and practices appropriate to the nature of the sensitive information it maintained for them, such as encrypting it or deleting it when it was no longer needed, the complaint alleged.

As a result of the defendant’s “ineffective and inadequate data security practices,” the data breach and the “foreseeable consequences” of class members’ data ending up in the hands of criminals, the risk of identity theft to them “has materialized and is imminent,” the complaint said. The actual injuries sustained by Maroulis and class members include invasion of privacy, theft of PII, lost or diminished value of their PII, and lost time and opportunity costs associated with mitigating the consequences of the breach, it said.

In addition to time spent on attempting to mitigate the effects of the breach, Maroulis has experienced an uptick in spam emails, calls and texts to gain access to his devices or elicit further personal information for use in committing identity theft or fraud, said the complaint. The breach has caused him to suffer fear, anxiety and stress. He is at "present risk" as a result of the breach and “will continue to be at increased risk of identity theft and fraud for years to come,” it said.

The lawsuit asserts claims of negligence, breach of implied contract, unjust enrichment and violation of the New York Deceptive Trade Practices Act. Maroulis requests on behalf of himself and class members orders enjoining Christie’s from engaging in the wrongful conduct described; requiring it to encrypt all data collected through the course of its business in accordance with appropriate laws and industry standards; to delete and purge their PII; and to provide them out-of-pocket expenses associated with the prevention, detection and recovery from identity theft, tax fraud or unauthorized use of their PII.

The plaintiff also seeks an award of actual, nominal, statutory, consequential and punitive damages, plus attorneys’ fees, litigation expenses and prejudgment interest on all amounts awarded. Christie’s didn’t comment Tuesday.