The Winter 2023 Hacking Attack on Museums

An image of the outside of the British Library in London, showing a large, geometric red brick building.Image © Creative Commons via Wikimedia Commons / The British Library
Joe Syer

Joe Syer, Co-Founder & Specialist[email protected]

Interested in buying or selling
an artwork?

Browse artworks

Live TradingFloor

From October 2023, there has been a significant increase in hacking attacks against museums and galleries. That month, the British Library’s database was hacked, leaving its online systems and services severely disrupted and jeopardising the sensitive data of thousands of staff and customers. Since then, dozens of cultural institutions have fallen victim to a similar scheme, causing those in the art world to ask: what lessons can we learn from these attacks and how can we prevent them?

An image of the reading room at the British Library, featuring thousands of books on shelves within a domed structure.Image © Creative Commons via Flickr / The Reading Room at the British Library

October 2023 British Library Attack

During the last week of October 2023, the criminal group Rhysida managed to gain access to the British Library’s servers, leading to widespread disruption. On October 28th, its public Wi-Fi stopped working, and its online catalogue was also down. The following day, the institution spoke of a “technological outage”, and for the next few days it was forced to operate in a pre-digital state – its website, phone lines and all online services were down, including exhibition ticket sales, reader registrations and card transactions in the shop. Also affected was the Library’s EThOS collection of more than 600,000 doctoral theses, considered essential for academic research. Needless to say, this was an incredible ordeal for the Library, as it meant that many researchers could not continue their work or gain access to the knowledge provided by the institution.

Almost a month later, the criminal gang offered 490,191 files stolen from the British Library for sale on the dark Web, which included staff’s personal data such as passport scans. The hackers offered it for sale for 20 bitcoins, which the BL refused to pay, so the data was eventually made available for anyone to download. The disruption caused by the attack would last for several months, and the entirety of services not yet been restored. Apart from its crippling effect on the dissemination of knowledge that the British Library is famed for, the attack may also have legal consequences: under local data-protection law, it is both the victim of a crime and theoretically liable for the breach of sensitive information that was supposedly in its care.

A few days later, the Toronto Public Library suffered a similar attack, setting off a widespread string of hackings against cultural institutions.

“The people responsible for this cyber-attack stand against everything that libraries represent: openness, empowerment, and access to knowledge.”
Roly Keating, the B.L.’s chief executive
An outdoor image of the Museum of Fine Arts, Boston in the evening. It shows the building's facade and an equestrian statue.Image © Creative Commons via Flickr / The Museum of Fine Arts Boston, one of the victims of the cyberattack

December 2023 Widespread Attack on US Museums

Since the BL’s ordeal, several institutions have fallen prey to hackers in a similar way. During the last week of December 2023, a museum software solutions provider titled Gallery Systems was hacked, affecting museums such as the Museum of Fine Arts in Boston, the Frances Lehman Loeb Art Center at Vassar College, the Rubin Museum of Art in New York and the Crystal Bridges Museum of American Art in Arkansas. Luckily, larger institutions such as the Metropolitan Museum of Art and the Whitney Museum of American Art, both of whom use the same software, were spared due to the fact that they have their own databases. While apparently customer and visitor data was not affected, online services were severely disrupted, especially the digital collections: eMuseum, a tool that allows visitors search online collections, was down. Chaos also happened behind the scenes, as staff found themselves unable to access sensitive data including donor lists, loan agreements, provenance records, shipping information and storage locations of priceless artworks.

Unlike the BL’s attack, which was motivated by ransomware, the motivations behind this attack remain largely unclear.

An image of the facade of the Metropolitan Museum of Art, adorned with a red banner with the museum's logo.Image © Creative Commons via Flickr / The facade of the Metropolitan Museum of Art

How Cultural Institutions Can Protect Themselves From Cyber Attacks

As in most worst-case scenarios, the best approach is usually preventative. As evidenced by the fact that the Met and the Whitney managed to avoid the worst of the crisis, hosting your own database is one of the best options – although one not widely available for smaller museums and institutions that may have budgetary constraints. One large concern amongst experts is the fact that hackers can ultimately erase whatever information they manage to gain control of, including any scholarship done on a work, as the professor of art crime Erin Thompson has stated: “The objects in museums are valuable, but the information about them is truly priceless. Often, generations of curators will have worked to research and document an artefact. If this information is lost, the blow to our knowledge of the world would be immense.” As such, having a backup in an entirely different software is something that institutions should seriously begin to consider as the popularity of these cyberattacks increases.

Cybersecurity experts have advocated against engaging with the criminals in these cases, especially advising against giving into demands and paying for the information or restored access. Although it should obviously be considered on a case-by-case basis, this would further fuel the hacking industry and encourage other criminals to do the same. Ultimately, having an up-to-date and robust IT department is set to become increasingly important for cultural institutions in the next few years.

An outdoor image of the facade of the Whitney Museum, a modernist looking building against a blue sky.Image © Creative commons via Flickr / The facade of the Whitney Museum

The Future of Cybersecurity and Heritage Protection

The Winter 2023 hacking attack against museums and libraries serves as a stark reminder of the vulnerabilities facing our cultural heritage institutions in the digital age. This incident not only highlights the immediate need for robust cybersecurity measures but also acts as a catalyst for a broader discussion on the future of heritage protection. As we move forward, it is imperative that museums and similar institutions not only strengthen their digital defences, but also foster a culture of continual learning and adaptation to emerging cyber threats. Over the next decades, collaborative efforts between cybersecurity experts, government agencies and cultural organisations will be crucial in developing comprehensive strategies that safeguard our precious historical and cultural treasures. By learning from the lessons of this attack, we can ensure that the legacy and integrity of our global heritage are preserved for future generations, in an era where the digital and physical worlds are increasingly intertwined.

Buy and sell artworks