A few weeks after a major cyberattack took down its website during the peak of auction season, Christie’s is now facing a class action lawsuit. The suit alleges negligence, breach of implied contract, unjust enrichment, and violation of the New York Deceptive Trade Practices Act.
The lead plaintiff, Efstathios Maroulis from Dallas, Texas, filed the suit on June 3 in the U.S. District Court for the Southern District of New York.
According to the complaint, Christie’s failed to “properly secure and safeguard sensitive information of its customers.” The plaintiffs claim they entrusted their personal information to the auction house “with the mutual understanding that the defendant would protect it against disclosure.” However, this information was “targeted, compromised, and unlawfully accessed due to the data breach.”
The compromised personal information included the plaintiffs’ “full names, genders, passport numbers, expiration dates, dates of birth, birthplaces, MRZs, countries, and document numbers,” as stated in the complaint. MRZ refers to the “machine readable zone” in a passport that contains the document holder’s personal data. The complaint alleged that the information compromised in the data breach was “exfiltrated by cyber-criminals and remains in the hands of those cyber-criminals who target” the information for its value to identity thieves. As a result of the breach, the complaint claimed, roughly 500,000 class action members have been exposed to invasion of privacy, theft of information, and lost time and opportunity costs associated with attempting to mitigate the potential consequences of the breach. The 56-page complaint provides extensive detail about Christie’s responsibilities and its failure to protect personal data, highlighting the ongoing vulnerability clients face. It specifically mentions a “heightened and imminent risk of fraud and identity theft.”