The Winter 2023 Hacking Attack on Museums

During the last week of October 2023, the criminal group Rhysida managed to gain access to the British Library’s servers, leading to widespread disruption. On October 28th, its public Wi-Fi stopped working, and its online catalogue was also down. The following day, the institution spoke of a “technological outage”, and for the next few days it was forced to operate in a pre-digital state – its website, phone lines and all online services were down, including exhibition ticket sales, reader registrations and card transactions in the shop. Also affected was the Library’s EThOS collection of more than 600,000 doctoral theses, considered essential for academic research. Needless to say, this was an incredible ordeal for the Library, as it meant that many researchers could not continue their work or gain access to the knowledge provided by the institution.

Almost a month later, the criminal gang offered 490,191 files stolen from the British Library for sale on the dark Web, which included staff’s personal data such as passport scans. The hackers offered it for sale for 20 bitcoins, which the BL refused to pay, so the data was eventually made available for anyone to download. The disruption caused by the attack would last for several months, and the entirety of services not yet been restored. Apart from its crippling effect on the dissemination of knowledge that the British Library is famed for, the attack may also have legal consequences: under local data-protection law, it is both the victim of a crime and theoretically liable for the breach of sensitive information that was supposedly in its care.

A few days later, the Toronto Public Library suffered a similar attack, setting off a widespread string of hackings against cultural institutions.

Since the BL’s ordeal, several institutions have fallen prey to hackers in a similar way. During the last week of December 2023, a museum software solutions provider titled Gallery Systems was hacked, affecting museums such as the Museum of Fine Arts in Boston, the Frances Lehman Loeb Art Center at Vassar College, the Rubin Museum of Art in New York and the Crystal Bridges Museum of American Art in Arkansas. Luckily, larger institutions such as the Metropolitan Museum of Art and the Whitney Museum of American Art, both of whom use the same software, were spared due to the fact that they have their own databases. While apparently customer and visitor data was not affected, online services were severely disrupted, especially the digital collections: eMuseum, a tool that allows visitors search online collections, was down. Chaos also happened behind the scenes, as staff found themselves unable to access sensitive data including donor lists, loan agreements, provenance records, shipping information and storage locations of priceless artworks.

Unlike the BL’s attack, which was motivated by ransomware, the motivations behind this attack remain largely unclear.

As in most worst-case scenarios, the best approach is usually preventative. As evidenced by the fact that the Met and the Whitney managed to avoid the worst of the crisis, hosting your own database is one of the best options – although one not widely available for smaller museums and institutions that may have budgetary constraints. One large concern amongst experts is the fact that hackers can ultimately erase whatever information they manage to gain control of, including any scholarship done on a work, as the professor of art crime Erin Thompson has stated: “The objects in museums are valuable, but the information about them is truly priceless. Often, generations of curators will have worked to research and document an artefact. If this information is lost, the blow to our knowledge of the world would be immense.” As such, having a backup in an entirely different software is something that institutions should seriously begin to consider as the popularity of these cyberattacks increases.

Cybersecurity experts have advocated against engaging with the criminals in these cases, especially advising against giving into demands and paying for the information or restored access. Although it should obviously be considered on a case-by-case basis, this would further fuel the hacking industry and encourage other criminals to do the same. Ultimately, having an up-to-date and robust IT department is set to become increasingly important for cultural institutions in the next few years.

The Winter 2023 hacking attack against museums and libraries serves as a stark reminder of the vulnerabilities facing our cultural heritage institutions in the digital age. This incident not only highlights the immediate need for robust cybersecurity measures but also acts as a catalyst for a broader discussion on the future of heritage protection. As we move forward, it is imperative that museums and similar institutions not only strengthen their digital defences, but also foster a culture of continual learning and adaptation to emerging cyber threats. Over the next decades, collaborative efforts between cybersecurity experts, government agencies and cultural organisations will be crucial in developing comprehensive strategies that safeguard our precious historical and cultural treasures. By learning from the lessons of this attack, we can ensure that the legacy and integrity of our global heritage are preserved for future generations, in an era where the digital and physical worlds are increasingly intertwined.