Atlanta Printmakers Studio’s Jamaal Barber Grapples with the High Costs of Cyberfraud

by D. Amari Jackson

Last month, Atlanta Printmakers Studio’s Jamaal Barber was caught off guard. Stunned by an email he and his printmaking colleagues received at the Hapeville-based studio, the prominent artist and board member was unsure what to do next. 

“We tried to log in and we got an email message telling us that we can’t log in,” recalls Barber, paraphrasing the accompanying message. “And if you pay us a certain amount of money, we’ll give you your account back.” 

“So after that, there’s nothing much you can do,” laments Barber, depicting futile attempts to contact his social media providers to “try and get it resolved. But, so far, we’ve got no real response and no way to get our account back. We are a small organization and it’s not like we’ve got tons of money sitting around to pay off ransoms, and that’s not something we’d be prepared to do anyway,” he clarifies. “Unfortunately, we had spent all these years building up these 25 to 26,000 followers, and it was all gone, so we had to start from zero and just make another account.”

Barber is not alone. Such incidents have become more common in the world of art including  social media hacks along with the holding of sizable client databases for ransom and the proliferation of fake invoices sent to these databases. Auction houses, museums, and galleries are particularly vulnerable given they are digitally frequented by high-net-worth clients and institutions. 

In more high profile cases, hackers gain access to an art dealer’s email account and track all messages sent and received. Once a gallery emails a client an invoice upon a sale, hackers assume the identity of the gallery and use the same email address to send a bogus invoice in duplicate. The fraudulent invoice includes a note telling the client to ignore the original invoice and instead wire money to the account specified in the fraudulent document. Following the money’s transfer to the criminals’ account, the hackers relocate the funds to evade discovery. Payments that galleries make to their artists and other parties are intercepted using the same method. 

Whether sending fake invoices, holding a database hostage, or hacking social media sites, the victims of these cyberattacks are often left powerless. “After a week or two, we realized there was no way we were going get this back,” acknowledges Barber, whose organization has since established new social media accounts. “It’s like you really have no recourse.”

Such helplessness was recently exemplified by a public post from ZuCot Gallery in Atlanta. “Family, our gallery Instagram page was hacked on Saturday and taken down. The hacker is currently trying to ransom our page back to us. If you know anyone at Meta or IG please send me a DM or connect me as we are desperately trying to recover our page. We have done the normal protocol with no response from Instagram.”

Barber depicts the costs of such fraudulent activities, losses far more than monetary. “I think there  is an intention cost as well because we are a small organization and printmaking is very niche, so it’s not like we can just, at any time, reach everybody we want to reach,” he explains, depicting how the 19-year-old organization built its database “progressively, over a long period of time.” He points to the time and manpower involved in building and establishing social media accounts, advertising classes, keeping in touch with members, and promoting workshops. 

“So how many people won’t see our workshops now?” wonders Barber. “How many people won’t come to one of our big print events, won’t see what we’re doing, and won’t be inspired to contribute or take a class? The opportunity cost can’t be measured because you don't even know what it is.” As a small organization, he continues, “even if we only get ten percent of the people” we reach online, “that’s way more people than we would ever be able to get just on our own.” 

“And once that’s taken away, it’s taken away.”

In the art world, such hacking episodes are far from new. Back in 2017, close to a dozen galleries and individuals in the US and abroad were targeted by email scams that defrauded millions, including Swiss contemporary and modern art gallery, Hauser & Wirth, the president of Expo Chicago, and several prominent London-based dealers. In 2021, Art Basel exhibitors were notified by email that their data was likely compromised by a malware assault on the parent corporation of the exhibition as hackers took advantage of the invoices the galleries sent to their clients. In December 2023, a suspected cyberattack caused Gallery Systems, a software provider used by museums for digital collection display and documentation management, to abruptly cease operations. 

Two months ago, a group of cyber-extortionists known as “RansomHub” claimed responsibility for the apparent hack of Christie’s auction house during New York Auction Week. The organization subsequently uploaded an image on the dark web of some of the data seized during the attack which they labeled as the "sensitive personal information" of the auction house's elite customers. As a result, the Christie’s website was shut down and customers were required to place their bids in person, over the phone, or via a temporary website during the duration of May’s auctions. 

With private information about the extremely wealthy in their possession, some in the field believe enterprises and art institutions should take extra precautions to prevent security breaches despite exiting laws designed to thwart such fraudulence. The European Union’s 2018 General Data Protection Regulation on information privacy, and its comparable California Consumer Privacy Act of 2020, were both designed to generally enhance privacy rights and consumer protections. However, these acts have limited effects on the day-to-day operational cyber risks of art consumers and institutions, leading to a general consensus around such industry supported measures as encrypting email invoices before sending; keeping anti-virus software current; running regular system checks and backups; consistently changing all passwords for email, wifi, and software; avoiding weak passwords, outdated web browsers, and relevant design flaws; following up on sent messages to confirm receipt, sort code, and account number by client; contracting an external cyber security solution; implementing two-factor authentication, a method requiring two forms of identification to access data; keeping a dedicated server for client data that is not connected to the internet; and training personnel on effectively vetting emails and their attachments.

Still, even with a number of these measures in place, the true cost of getting hacked by cybercriminals can, ironically, be priceless, particularly for those entities who do not possess the resources and resilience of a major auction house like Christie’s. 

“Institutions like that have money and power behind them, and big time celebrity influence,” says Barber, contrasting the outreach implications for smaller platforms, particularly those serving communities of color. He points to certain historical moments, like the murder of George Floyd, when such smaller social media platforms helped galvanize groups of people around “certain causes and messages” both timely and inspiring. Given his studio’s compromised platform, and  today’s volatile political climate, Barber stresses “there’s no way to fully recapture these moments because, who knows where the country’s gonna go?” 

“Everything doesn’t survive past moments, especially the audience and attention that we may have gained from George Floyd that may be lost,” says Barber. “But you still have to be out here doing your work, still promoting, still finding a way to produce and have a relevant message about something in this environment.” He mentions the printmaker studio’s newsletter as another vehicle for outreach. “But in this environment, businesswise, everybody has Instagram, everybody has social media, and maybe we clicked on an email we weren’t supposed to but, I mean, how can you account for that? I can’t account for a mistake costing you this much.” 

“It’s almost like there is nothing you can do now that the damage is done,” reiterates Barber.  “We can’t bring about 25,000 followers again over the next month or two, you know what I’m saying?” 

“So we’re just back on the grind trying to make sure that we survive out here like everybody else.”