Why Arts Organizations Can No Longer Ignore Cybersecurity
We originally wrote this up after the Met Opera was attacked. Although there have been some limited improvements in the approach of the C-Suite to security in the Art organization, I am still dumb founded at the lack of security in some organizations, especially in the age of AI, where, based on AWS’ information, the number of hack attempts has increased by 700%.
“Beginning on December 6, 2022, hackers started the process of breaching the Met Opera’s information infrastructure.” By December 7, a cyber-attack “against The Metropolitan Opera in New York was well underway. The attack affected the opera’s network systems, including its internal network, website, ticketing server, box office, and phone center. The Opera’s website was restored eight days later, on December 15. According to Peter Gelb, The Met’s general manager, the opera earns roughly $200,000 in ticket sales per day throughout this season. Because the malware impeded the opera’s ability to sell tickets, seats were temporarily sold for $50 on the Lincoln Center for the Performing Arts website, resulting in a significant revenue loss that extended beyond the downtime period.
In August 2024, approximately 40 French museums were hit by a ransomware attack, most notably the Grand Palais and other institutions within the Réunion des Musées Nationaux (RMN) network.
The attack was detected on Sunday, August 4, 2024, and occurred during the Paris 2024 Olympics. The Grand Palais was actively hosting fencing and taekwondo competitions at the time, while the Château de Versailles (also in the RMN network) was hosting equestrian sports and modern pentathlon events.
-
-
- The attackers encrypted parts of the museums’ systems, requested a ransom in cryptocurrency, and threatened to leak data if payment wasn’t made within 48 hours.
- Authorities confirmed that no data extraction was detected, and the Olympic competitions proceeded as planned.
- The attack affected the RMN online shop (boutiquesdemusees.fr) but didn’t interrupt Olympic events.
-
The Growing Threat Landscape for Cultural Institutions
The cyber-attack on the Met is far from an isolated incident. The threat landscape has only intensified since COVID:
-
-
- The British Museum(2025)
- The French Museums(2024)
- Museum of Fine Arts, Boston (2024)
- Gallery Systems (software provider)(2023)
- Optimizely – previously known as EpiServer (software provider) (multiple hacks and vulnerabilities since 2022)
- The 2022 Met Opera attack highlighted the vulnerability of even the most prestigious institutions
- In 2020, hackers obtained access to personal information from hundreds of cultural institutions and NGOs
-
Ransomware attacks on cultural institutions have increased significantly in recent years, with a notable rise of over 40% since 2022. Additionally, AI-driven phishing attempts are becoming increasingly sophisticated, making it easier for hackers to execute social engineering scams.
They’re crafting compelling messages that can trick employees into handing over sensitive data without a second thought. We also need to be worried about supply chain attacks.
Cybercriminals are now targeting ticketing platforms and donation processing systems, which opens up new avenues for them to infiltrate organizations. And let’s not forget about state-sponsored hackers — they keep coming at institutions based on their public stance on international and political issues. It’s essential to recognize that hackers don’t discriminate; they target everyone, whether you’re a Fortune 500 company, a small business, or a not-for-profit cultural institution like the RMN. These places handle transactions, store customer info, maintain donor databases, and are increasingly dependent on digital infrastructure to keep things running smoothly.
While the attackers of the Met Opera were never publicly identified, The New York Times underlined the opera’s vocal support for Ukraine amid the ongoing Russia-Ukraine conflict—a reminder that cultural institutions can become targets for geopolitically motivated cyberattacks.
Why Cultural Organizations Are Prime Targets
The cyberattack on the Met should serve as a wake-up call to other cultural organizations. Anyone could be a target. “I usually warn clients that everyone, regardless of size or sector, is a target. It should not take an occurrence like this to wake up other cultural institutions to the fact that they are in grave danger,” says Richard Sheinis, partner and head of data privacy and cybersecurity at full-service legal firm Hall Booth Smith.
Cultural organizations, performing arts centers, theaters, museums, galleries, and educational institutions, are desirable targets for several reasons:
Limited Resources: They may not always have the time, money, skill set, or up-to-the-minute understanding to build a robust cybersecurity strategy.
Legacy Systems: Many cultural institutions operate on outdated technology that lacks modern security features and may no longer receive security updates.
Valuable Data: Donor databases, patron information, payment processing systems, and intellectual property (recordings, digital archives) represent valuable targets.
Human Factor Vulnerabilities: Unlike many for-profit organizations, which are often victims of zero-day vulnerabilities, the bulk of security breaches in smaller enterprises and most non-profits are caused by preventable flaws in human-device interaction. The untold story of cybersecurity is how criminals exploit the imperfect nature of humans to further their own goals, and this has only worsened with AI-generated phishing that can convincingly impersonate executives, board members, or vendors.
High-Profile Impact: Attacks on cultural institutions generate significant media attention, which appeals to hackers seeking notoriety or making political statements.
The Post-Pandemic Reality
Finding funding for cybersecurity has always been difficult at non-profits, but it is a worthy investment. A good security posture today can save hundreds of thousands—or even millions—later. However, many people are hard-pressed to believe that it could happen to them.
While many cultural institutions have recovered operationally from the COVID-19 pandemic, the digital transformation forced by the pandemic has actually expanded their attack surface. Virtual programming, streaming services, expanded e-commerce, remote work arrangements, and cloud-based operations have all created new vulnerabilities that didn’t exist before 2020.
Additionally, new regulatory requirements have emerged:
-
-
- Enhanced data privacy regulations (GDPR, CCPA, and state-level privacy laws)
- Mandatory breach notification requirements with shorter timeframes
- Increased liability for data breaches, with potential fines reaching millions of dollars
- Cyber insurance requirements that mandate specific security controls
-
Modern Cybersecurity: Essential Steps for Cultural Institutions
Bringing cybersecurity to the forefront in cultural institutions is the first critical step. Subsequent evaluation of the infrastructure and investment in prevention, detection, and response can help reduce the likelihood of cyberattacks while also mitigating the damage if one occurs.
Recommended Approach:
-
-
- Initial Assessment: Have your in-house IT team conduct a comprehensive security audit
- Expert Partnership: If your organization lacks the means to retain in-house cybersecurity personnel, partner with third-party cybersecurity firms specializing in non-profit or cultural institutions
- Board-Level Engagement: Ensure cybersecurity is a regular board agenda item, not just an IT concern
- Cyber Insurance: Obtain appropriate cyber liability insurance (though be aware that insurers now require proof of security controls)
-
Critical Security Controls for 2025
Until you engage a cybersecurity firm, implement these essential protections:
Multi-Layered Firewall Protection
When it comes to safeguarding your institution’s digital environment, it’s essential to utilize multiple layers of firewall protection. Start with an edge firewall provided by your internet service provider, which acts as the first line of defense against external threats. Within your organization, an institutional firewall shields your internal network from unauthorized access. For systems that handle sensitive tasks, such as ticketing, donation processing, or managing customer relationships, application-specific firewalls provide an additional layer of security tailored to those specific needs. To stay ahead of evolving threats, consider next-generation firewalls that include advanced features such as intrusion detection and prevention, providing more robust protection for your critical systems.
Network Segmentation
When organizing your network, ensure that you set up separate subdomains for internal and external connections to maintain a clear division between them. Your payment processing systems should run on their own isolated network to maintain PCI-DSS compliance. The guest Wi-Fi needs to be wholly disconnected from the main operational networks your team uses daily. And whenever you can, go with a zero-trust model, which means verifying every single access request—no matter where it’s coming from.
Modern Encryption Standards
Having SSL/TLS certificates on all your websites isn’t optional; it’s required. For any sensitive communications, ensure that there’s end-to-end encryption to keep information private from start to finish. When it comes to storing data, especially information such as donor and patron details, encrypt that data while it’s stored on your servers. Also, remember to regularly check and renew your certificates to maintain security and ensure everything remains up to date.
Multi-Factor Authentication (MFA)
All staff accounts, not just those belonging to administrators, need to have multi-factor authentication in place. Whenever someone tries to access institutional systems remotely, it’s absolutely required. You should also enable MFA for donor portals and patron accounts whenever possible. Instead of relying on SMS codes, which can be intercepted, it’s better to use authenticator apps or hardware tokens for added security.
System Hardening and Diversity
To strengthen your cybersecurity posture, your website and your ticketing server mustn’t run on the same operating system. For instance, if your website uses Windows, consider running your ticketing server on Linux. This makes it significantly harder for hackers to compromise both systems simultaneously. If there’s no way to avoid using the same operating system for multiple critical systems, ensure that you have real-time security monitoring in place, complete with 24/7 alerts, so you’re always informed of any suspicious activity. Another key step is to stay on top of regular patching schedules for all your systems and applications, ensuring vulnerabilities are addressed as soon as updates become available. Lastly, take some time to review your systems and remove or disable any unnecessary services and applications—they can present risks if left unchecked.
New Essential Protections (2025 Standards)
Email Security:
-
-
- Advanced email filtering with AI-powered phishing detection
- DMARC, SPF, and DKIM email authentication protocols
- Email sandboxing for suspicious attachments
- Regular phishing simulation training for all staff
-
Endpoint Detection and Response (EDR):
-
-
- Deploy EDR solutions on all devices (computers, tablets, phones)
- Real-time monitoring and automated threat response
- Regular endpoint security assessments
-
Backup and Recovery:
-
-
- Implement the 3-2-1 backup rule: 3 copies of data, 2 different media types, 1 offsite
- Immutable backups that cannot be encrypted by ransomware
- Regular backup testing and documented recovery procedures
- Air-gapped backups for critical data
-
Access Management:
-
-
- Principle of least privilege (users only get access they absolutely need)
- Regular access reviews and removal of unnecessary permissions
- Immediate account deactivation procedures when staff leave
- Privileged Access Management (PAM) for administrative accounts
-
Vendor Risk Management:
-
-
- Security assessments of all third-party vendors (ticketing platforms, payment processors, cloud services)
- Contractual security requirements and right-to-audit clauses
- Regular vendor security reviews
- Incident response coordination with critical vendors
-
Security Awareness Training:
-
-
- Mandatory annual cybersecurity training for all staff, volunteers, and board members
- Regular updates on emerging threats (especially AI-powered scams)
- Clear incident reporting procedures
- Simulated phishing exercises to test and improve awareness
-
Incident Response Plan:
-
-
- Documented procedures for various attack scenarios
- Transparent chain of command and communication protocols
- Pre-identified cybersecurity incident response team
- Relationships established with forensic firms and legal counsel before an incident occurs.
- Regular tabletop exercises to test the plan
-
The AI Factor: New Threats and Defenses
The emergence of sophisticated AI tools has fundamentally changed the threat landscape since 2022:
AI-Powered Threats:
Attackers are now using deepfake technology to create convincing audio and video, making it possible for someone to impersonate your executive director on a “video call” and request an urgent fund transfer. Phishing emails have become increasingly sophisticated; thanks to AI, they’re not only grammatically flawless but also highly personalized, making them harder to detect. Furthermore, hackers can automate the process of scanning for vulnerabilities and exploiting them, while AI-powered tools are making password cracking faster and more efficient than ever.
AI-Enhanced Defenses:
Today, machine learning can help identify suspicious activity that deviates from typical patterns, making it easier to detect threats early. Security information and event management systems powered by AI now sift through massive amounts of data, flagging potential issues much faster than a human could. When an incident does occur, automated response tools can jump into action and contain threats within seconds, minimizing damage. Additionally, behavioral analytics enable organizations to monitor for insider threats or compromised accounts by identifying when someone acts out of character.
Compliance and Legal Considerations
Cultural institutions must now navigate an increasingly complex regulatory environment:
-
-
- Data Privacy Laws: Compliance with GDPR (if you have European patrons), CCPA, and various state privacy laws
- Payment Card Industry (PCI-DSS): Mandatory if you process credit card payments
- Breach Notification Laws: Most states require notification within 30-90 days of discovery
- Donor Trust: Failure to protect donor information can result in loss of funding and reputational damage that takes years to recover from
-
The True Cost of a Breach
Beyond immediate revenue loss (like The Met’s $200,000 per day), consider:
-
-
- Incident Response Costs: Forensic investigation, legal fees, and remediation can cost $500,000-$2 million
- Regulatory Fines: Up to millions of dollars for privacy law violations
- Reputation Damage: Loss of donor confidence and patron trust
- Operational Disruption: Staff time diverted to recovery efforts for months
- Legal Liability: Potential class-action lawsuits from affected patrons or donors
- Insurance Premium Increases: Cyber insurance costs will skyrocket after a breach
-
Making the Business Case
When presenting cybersecurity needs to boards and leadership:
-
-
- Frame it as mission protection: A cyberattack doesn’t just affect IT; it threatens your ability to serve your community and fulfill your mission.
- Quantify the risk: The Met lost approximately $1.6 million in ticket revenue during its eight-day outage, excluding recovery costs.
- Compare costs: Investing $50,000-$100,000 annually in security is far cheaper than recovering from a $2 million breach.
- Highlight regulatory requirements: Non-compliance isn’t optional and carries mandatory penalties.
- Emphasize donor stewardship: Protecting donor information is a fiduciary responsibility.
-
Conclusion: Security Is Not Optional
The notion that cultural institutions “don’t need to be like the Pentagon” is a dangerously outdated idea. In 2025, every organization that processes payments, stores personal information, or operates online is a potential target for cyberattacks. The question is not whether your institution could be attacked, but when—and whether you’ll be prepared.
The Met Opera’s experience should serve as both a warning and a roadmap. An eight-day offline period, significant revenue loss, and immeasurable reputational impact could have been mitigated with proper security investments. As Richard Sheinis noted, everyone is a target regardless of size or sector.
Cultural institutions hold treasures—both physical and digital—that enrich our communities. Protecting these assets, along with the trust of patrons and donors, requires taking cybersecurity seriously. The good news is that many attacks are preventable with proper planning, investment, and vigilance.
Don’t wait for your organization to make headlines for the wrong reasons. Start the cybersecurity conversation today.
The term “zero-day” refers to newly found security flaws that hackers can exploit to attack systems. The term “zero-day” refers to the fact that the vendor or developer has only recently discovered the fault, implying that they have “zero days” to rectify it. A zero-day attack occurs when hackers exploit a vulnerability before engineers have a chance to fix it.
References and Further Reading:
- NIST Cybersecurity Framework for Cultural Institutions
- FBI Internet Crime Complaint Center (IC3) Reports
- Cybersecurity & Infrastructure Security Agency (CISA) Resources for Non-Profits
- “The Met Opera Cyberattack: Lessons Learned” – Various industry publications
- Dozens of French Museums hit by Ransomware attack – Various publications.
