Sotheby’s, the world-renowned auction house, has confirmed a data breach in which threat actors gained access to its systems and stole sensitive personal information.

According to disclosure documents, the New York-based luxury auction company detected unauthorized activity in its network on July 24. Subsequent investigations determined that the attackers exfiltrated files containing names, Social Security numbers, and financial account details.

Notifications sent to impacted individuals — and filed with the Maine Attorney General’s Office (AGO) — indicate that Sotheby’s is providing 12 months of complimentary credit monitoring services to affected persons.

While the exact number of victims has not been made public, the Maine AGO confirmed that two state residents were affected. A separate filing with Massachusetts authorities reported ten impacted residents, suggesting that the overall number of compromised individuals is relatively limited.

At this time, it remains unclear whether the breach involved employees, clients, or both.

Sotheby’s has not disclosed whether the intrusion was part of a ransomware operation, and no known ransomware groups have claimed responsibility for the attack.