Artwork Archive cloud storage misconfiguration exposed user data, revenue records

Update (July 16, 2021): Artwork Archive told ZDNet it received notice a month or so ago about a single open S3 bucket -- a folder where it keeps publicly shareable reports. It addressed it, and after an investigation by its team, it found no suspicious activity. Artwork Archive said it has also alerted users about this issue. 

Artwork Archive told ZDNet that the company was made aware of the security issue on May 25 and acted "within the hour" to tackle the security issue. The storage system was secured on the same day. 

Researchers say a platform used to connect artists and potential buyers potentially exposed information belonging to users. 

On Friday, the WizCase team, led by Ata Hakçıl, said that misconfigurations in an Amazon S3 bucket belonging to Artwork Archive exposed over 200 000 files. 

Artwork Archive said that "there is no other evidence that this was accessed by anyone other than the third-party cybersecurity company."

Based in Denver, Colorado, Artwork Archive is marketed as a platform to "give artists, collectors, and organizations a better way to manage their art." Software solutions are offered on a subscription basis to manage both the purchase and sale of artwork.

The security researchers discovered the bucket, which did not require any authentication to access, in May. 

In total, 421GB of data was contained in the bucket. Dating back to August 2015, the records related to over 7000 artists, collectors, and galleries, and "potentially their customers, too," according to WizCase. Data available to view included full names, physical addresses, and email addresses. 

Purchase details, too, were included. WizCase found approximately 9000 invoices, as shown below, including the price of artwork and sales agreements, alongside revenue reports.

In addition, "exported contacts" were stored in the bucket, containing full names, phone numbers, email addresses, city and country, and company affiliations of individuals.

"These were usually contacts an artist added to Artwork Archive via their contact management feature and included art institutions, individual artists, art collectors, friends, and family," the researchers say. 

Finally, WizCase discovered inventory reports which listed artwork owned by "specific artists, buyers, and galleries." 

The co-founder of Artwork Archive, Justin Anthony, thanked WizCase for their report and told ZDNet that the misconfiguration was "anomalous" considering the company's stance on the security and privacy of its users.

"Maintaining the privacy of our clients and keeping their data secure has always been core to what we do," Anthony commented. "Security is our top priority [...] and this is not something that has impacted our users at large."

Update (July 17, 2021): Added further commentary from Artwork Archive. 

Previous and related coverage

• Guess announces breach of employee SSNs and financial data after DarkSide ransomware attack.
  
• Oil giant Shell discloses data breach linked to Accellion FTA vulnerability.
  
• T-Mobile discloses its fourth data breach in three years.
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0