Artwork Archive has alerted users that one of their S3 buckets containing publicly reports was unsecured and exposed on the Internet. However, the company said they found no signs of suspicious activity after reviewing the bucket.
Artwork Archive is based in Denver, Colorado.
Researchers say the platform, which is used by artists to connect with potential buyers and sell their products, exposed the personally identifiable information (PII) of users.
On May 23, a cybersecurity company WizCase discovered a bucket belonging to Artwork Archive that did not require any authentication. The company disclosed the issue on Friday. The WizCase’s team said that the misconfigurations in the S3 bucket exposed over 200 000 files.
As a result, 421GB of data was exposed, which affected over 7,000 artists, collectors, and galleries, and “potentially their customers too.”
According to WizCase, the bucket stored the contact and financial information like purchase details, price of artwork, sales agreements, revenue reports, and over 9,000 invoices.
“These reports made it clear that the platform is managing sales in substantial amounts of money, with some pieces being sold for tens of thousands of US dollars.”
Among the data, there were full names, physical addresses, email addresses, city and country, company affiliations of individuals:
“These were usually contacts an artist added to Artwork Archive via their contact management feature and included art institutions, individual artists, art collectors, friends, and family,” the researchers say.
There were also inventory reports which listed artwork owned by specific artists, buyers, or galleries.
The storage system of Artwork Archive was secured on May 26 after WizCase’s team disclosed the issue to the company.