Christies hacked? A take on crisis communication

Christie's, the auction house got hacked! Or is it only a "technology security incident" that has brought down its website for about a week now ?

Whichever it is, from my outsider's perspective, it feels like their communication could be handled better.

Disclaimer

I am not a communication expert nor, have any inside knowledge of how Christie's operate.

My "investigation" consists of going through social media and internet searches.

Here is my take from a outsider's perspective.

The context

Christie's, the auction house 'shut down its website' ahead of one of its biggest week of the year where sales of more than 800 millions dollars worth of art were expected.

It was first reported by The New York Times then a lot of different outlets also covered the incident.

This ITPro article gives a quick summary of the situation.

I personally first became aware of the incident scrolling Twitter/X.

Tweet about Christie's hack

Being both interested, in art, auctions and auction houses as well as IT, this picked my interest, so I tried to learn more about it.

One question that came to my mind was : how come it took me so long (about a week), to learn about it?

But, I will dismiss it (or at least some, as it ended up during personal vacation time). However, I went back to see how I could have been more aware, had I been available. And that brings me to the first point.

Control the narrative

I would expect more transparency and more effort on Christie's side to proactively lead the narrative on the issue.

I follow their accounts on multiple social media : Twitter/X, LinkedIn, WeChat, ... I didn't see any strong statement about what happened. I understand their focus is on making the current sale a success, and it seems to be one. But, the potential incident a cyber-attack, hack, ... as reported by the media would require more.

A lot of the information comes from the media, which are focused on different aspects, and prone to speculation.

So what exactly is the incident ?

  • A "technology security incident” as stated by Christie's (which, can mean everything and nothing at the same time) ?
  • A hack, cyber-attack, ... as reported by the media ?

At this stage, I don't know. And, that's exactly my point here. Why not be clear, and state exactly what it is?

Yes, it may end up being too technical for most of Christie's clientele, art enthusiasts, ... but it would shut down any kind of speculation. And even if not completely known at the time, saying that they don't know yet and would give more information (with a clear date / channel) seems like a better strategy.

On the other side, tens if not hundreds of articles have been published mentioning hack, cyber-attacks, breach, ... so,that's what most of the public will go with.

With its excerpt as "The auction house failed to regain control of its official website on Sunday [...]", the (nytimes.com) article make it feels more like the cyber-attack.

It's likely, but I "like" Christie's, so reserve my judgment until later. Not a lot of people will.

Own the incident, as a company

One thing that surprised me while investigating and looking around the various resources is the lack of public "company position".

What I mean by that is nowhere have I found a statement by the company itself, straight from the source.

Articles mention statements that either Christie's or various spoke persons made to their news outlet, by email or other means. But only small extract or paraphrase pieces are available.

Social media accounts have been mostly silent on the issue or have "deflected" by quoting statements like this:

Linked In Post

While I appreciate the words from the CEO, and it definitely makes it more "personal", I strongly believe that a branded message addressing the situation would have a bigger impact.

Also, in the case of the LinkedIn post, it feels that the issue itself gets swept under the rug. If it wasn't for the embedded content starting with the issue, it wouldn't be there...

That brings the next question,

What are they hiding?

In today's day and age, for a company as important as Christie's, everything will likely surface at some point.

When you don't show any kind of transparency or are vague in your statements, the first response becomes that you're hiding something.

By the nature of its business and clientele, Christie's has to be a secret entity. They have to balance the need for anti-money laundering regulations and know your customer processes with the need for privacy and secrecy their high-profile client deserve and expect. Those clients implicitly trust Christie's to safeguard that privacy and set up what's needed for it to happen.

The nature of the incident seems to me the perfect occasion to bring some openness. A lack of which is often reproached to auction houses.

There may be some, but as an outsider, I don't see much downside to be clear and open about the issue. Especially once you've taken the first few steps to fixing the issue.

  • If it is only a small issue on your side, nothing too bad happened, it's been fixed, ... Everyone will appreciate the openness and you would earn credit and trust towards your clients (current and future) as well as anyone you deal with. They will feel reassured that you are a company they may want to interact with.
  • If it is indeed a cyber-attack / hack / ... They will appreciate knowing that it happened, what has happened and knowing that you are working on making sure it doesn't repeat in the future. They may not be pleased about it, may need to take some measure to mitigate the potential issues it created on their side, but again, the transparency will be appreciated.

About the last point, I assume that Christie's got in touch directly with their clients, especially the ones that could be the most exposed. They would still gain by being more public:

  • Clients may learn about the issue from Christie's first, rather than from the news or some 3rd party.
  • It provides a counter-point to the news articles.
  • It increases the public trust long term.

That would be a great way to help remedy the main impact of such incident.

Trust issues

Whatever has happened, as in any crisis, the trust has been damaged. The goal for Christie's (and any company in that situation) on the communication front is to make the damage as little as possible and start working on regaining it.

Even with the big week of sales going on, it is not "business as usual" yet. Ignoring the issue has it feels is happening isn't the solution.

From the various articles I have read, the terms hack, cyber-attack and similar are probably the most damaging ones, they feel "dramatic" and movie like. In reality, it can mean nothing or everything. And I have already covered why I believe Christie's should have had a stronger presence that what I have seen so far.

Through those articles, I also found some elements that to me sounds also damaging. I put some of them on the target audience of those outlets that is likely not technical enough, but also emphasize why over-simplifying isn't the right approach.

While the house has only called it a website outage, it is widely thought to be a cyberattack. (artnet.com)

[...] two auction house employees, who asked not to be identified because they were not authorized to speak publicly, described a state of panic in which top leaders remained quiet about the details of the security breach [...] (nytimes.com)

“A cyberattack like this is the 21st-century equivalent of a hand grenade in a small room,” - art market lawyer Thomas C. (nytimes.com)

“It’s a nightmare, obviously, with all the payment and purchaser data they own. I have not heard from Christie’s regarding my company’s account” - Wendy Cromwell (nytimes.com)

Those are the risk a company takes when not having a clear, precise and detailed communication about an incident.

It may have been the way to go but, things have changed with internet and social media.

Why wouldn't they be open?

As much as I would love them to be more open, I can understand why they wouldn't be. It is not something that came to my mind at first. Because I didn't ask myself the question.

I need to be fair in my assessment, and some past reading about stolen art and looting helped me identify one particular reason :

It's risky to do so

For stolen art, I couldn't find any easy / free database to access. I thought it would be an easy resource to find that helps people identify and report stolen art. It isn't. One of the reason it isn't is that it would help the thieves know what is known and what isn't. They may decide to destroy, or alter the art to make it unrecognizable.

In the case of Christie's, if they were to disclose the nature of the incident, it may give information to the (potential) attackers the attacker. They could identify other issues or gather important information to assist them. Christie's giving too much details in any direction could also serve as a motivating factor. They definitely don't need more troubles coming their way at the moment.

The bright side

The bright side for Christie's is that, despite this incident that "devastating" (the website is still down a week after), the sales have been maintained and with good results. So, it proves that their systems are resilient and that they can keep working even during such interruptions.

And news outlet have noticed as well :

Christie’s Contemporary Art Sales Show Strength in Face of Security Breach (barrons.com)

Hobbled by Cyberattack, Christie’s Says Marquee Sales Will Proceed (nytimes.com)

Conclusion

I really hope Christie's will be fine after that incident, I am sure they will, thanks to their size, reputation and the fact that things happen.

However, it may not be the case for all companies. I hope those (and the other like Christie's) will appreciate the opportunity that taking the lead on their communication in such crisis gives them, to the extent they can given their circumstances.

An opportunity to display their openness, ownership and understanding that incidents happen and are a way to move forward stronger.

Once recovered, their IT infrastructure will end up much more robust. Will their reputation ?

PS: Is your replacement damaging ?

In Christie's situation, I don't think that their replacement page can be much damage. However, it is not helping in any way.

Christie's website during outage

Here are the few issues that I see:

First, the URL in the address bar is https://dgc6x3fx379s3.cloudfront.net/, for a normal user, it feels fishy. I believe, if they can't access their primary domain, christies.com, they should still use a branded domain.

christies.auction for $1000000

The URL christies.auction seems perfect, but expensive... but any other alternative would be good too alternative. It is not as much having a great name as it is not having a bad one.

Finally, instead of "We apologise that our full website is currently offline. [...]" they should present a link to explanations on what's going on, what they do to fix, ... people who care would appreciate.