Update: Artwork Archive said that they were cognizant of this issue a month ago. They then addressed it, and after an investigation by their team, it found no suspicious activity. Artwork Archive has also alerted its users about the matter at hand.
Artwork Archive further clarified to ZDNet that the company was made aware of the security issue on May 25 and acted “within the hour” to tackle the security issue. The storage system was secured on the same day.
WizCase’s team of ethical hackers found a misconfigured Amazon S3 bucket belonging to Artwork Archive’s, containing over 200,000 files and 421 GB of data, which exposed thousands of customer’s and artist’s data.
The data in questions contains users’ names, surnames, email addresses, physical addresses, and other sensitive information. Thousands of artists, collectors and their customers were left vulnerable. There was no need for a password or login credentials to access this information, and the data was not encrypted. The breach has since been secured.
The files were dated from August 2015 to the time of discovery. The bucket left over 7,000 artists, collectors, and galleries vulnerable, and potentially their customers too. PIIs exposed included full names, physical addresses, email addresses, and purchase details.
The majority of PIIs came in the form of over 9,000 invoices for the sale of artwork. These invoices contained different details depending on the seller, but most included the PII of the artist themselves at minimum.