Cybersecurity and the Arts

Internet Security

Working in the arts, DWG sometimes hears that they don’t need all of the security standards of large corporations. I am reminded of a non-profit executive telling me awhile back that they don’t need to be like the Pentagon when we recommended a two factor authentication system. This article was inspired by a genuine concern that many art organizations may not be fully aware of the consequences of the slippery security slope.  Our hearts sank as we heard of The Met’s ordeal and our minds were outraged.  DWG does not know the exact cause of The Met cyberattack so this is not meant to be in any way derogatory to the wonderful folks at The Met. References and articles are included below.

Beginning on December 6th, 2022, hackers started the process of breaching the Met Opera’s information infrastructure. By December 7th, a cyber attack against The Metropolitan Opera in New York was well underway. The attack affected the opera’s network systems, including its internal network, website, ticketing server, box office, and phone center. The Opera’s website was restored eight days later, on December 15.

During this period, the opera continued its performances, and the Lincoln Center for the Performing Arts supported ticket sales until the Met could recover from the attack (Kudos Lincoln Center!). While the exact magnitude of the damage has not been disclosed, the stoppage in ticket sales effected revenue. According to Peter Gelb, The Met’s general manager, the opera earns roughly $200,000 in ticket sales per day throughout this season. Because the malware impeded the opera’s ability to sell tickets, seats were temporarily sold for $50 on the Lincoln Center for the Performing Arts website.

The cyber attack on the Met is far from the first on a cultural institution. In 2019, ransomware attacked the Asian Art Museum in San Francisco. In 2020, hackers obtained access to personal information from hundreds of cultural institutions and NGOs.   I’m sure you all have heard plenty of stories of hacks and cyberattacks.

Hackers do not care whether a business is a Fortune 500 company, a small business, or not-for-profit cultural institution like The Met, all these institutions still make transactions and hold their customers information.

A month after the attack on Met Opera, the attackers have yet to be identified, but The New York Times underlined the opera’s vocal support for Ukraine amid the ongoing Russia-Ukraine conflict.

But whatever the motivation and tactics, the cyberattack on the Met should serve as a wake-up call to other cultural organizations. Anyone could be a target. “I usually warn clients that everyone, regardless of size or sector, is a target. It should not take an occurrence like this to wake up other cultural institutions to the fact that they are in grave danger,” says Richard Sheinis, partner and head of data privacy and cybersecurity at full-service legal firm Hall Booth Smith.

Cultural organizations, like performing arts centers, theaters, and museums, are typically attractive targets for cyberattacks since they may not always have the time, money, skill-set, or up-to-the-minute understanding to build a good cybersecurity strategy. Unlike many for-profit organizations, which are victims of zero-day* vulnerabilities, the bulk of security breaches in smaller enterprises and most non-profits are caused by preventable flaws in human/device interaction. The untold story of cybersecurity is how criminals leverage the imperfect nature of humans to further their own goals.

Finding funding for cybersecurity is often difficult at a non-profit but it is a worthy investment.  A good security posture today, can save hundreds of thousands later, but many people are hard pressed to believe that it could happen to them. Furthermore, many cultural institutions are still striving to recover from the COVID-19 pandemic and are not in a position to embrace the additional concerns brought about by cybersecurity.

So, bringing cybersecurity to the forefront in a cultural institutions is the first critical step. Subsequent evaluation of the infrastructure, and investment in prevention, detection, and response can help lower the likelihood of cyber attacks while also mitigating the damage of an attack if one occurs. It is always recommended that the evaluation phase be done by in-house IT team, then if company lacks the means to retain in-house cybersecurity personnel, it can turn to third-party cybersecurity firms.

Please remember until you get a cybersecurity firm to help:

  • Layered firewalls (one from your service provider, one for your institution, and if you are running your ticketing server in-house, one more for that)
  • Separation of subdomains for internal and external networks,
  • SSL
  • Two-factor authentication
  • And for goodness sake, we recommend your site should not be on the same operating system as your ticketing server (if one is on windows, the other should be on Linux) – make the hackers work more difficult (hardening). If they are the same, security should be monitored in real-time.

* The term “zero-day” refers to newly found security flaws that hackers can exploit to attack systems. The term “zero-day” alludes to the fact that the vendor or developer only recently discovered the fault, implying that they have “zero days” to repair it. A zero-day attack occurs when hackers exploit a weakness before engineers have time to fix it.


Posted by The Met:

“After suffering a cyberattack that temporarily impacted our network systems, we’re pleased to announce that the Met is now able to process ticket orders through our website and in person at our box office. Based upon our ongoing investigations into the recent cyberattack, we would like to reassure our customers that ticketing customer data, including credit card information used when purchasing tickets, has not been stolen. We do not keep credit card information in the systems that were affected by the cyberattack. Thank you for your patience.”