information, the number of hack attempts has increased by 700%.<\/span><\/p>\n“B<\/span>eginning on December 6, <\/span>2022, hackers started the process of breaching the Met <\/span>Opera’s<\/span> information infrastructure.<\/span>” <\/span>By December<\/span> 7, a cyber-attack<\/span> “<\/span>against The Metropolitan Opera in New York was well underway. The attack affected the <\/span>opera’s<\/span> network systems, including its internal network, website, ticketing server, box office, and phone center. The <\/span>Opera’s<\/span> website was restored eight days later, on December 15. According to Peter Gelb, The <\/span>Met’s<\/span> general manager, the opera earns roughly $200,000 in ticket sales per day throughout this season. Because the malware impeded the <\/span>opera’s<\/span> ability to sell tickets, seats were temporarily sold for $50 on the Lincoln Center for the Performing Arts website,<\/span> resulting in a significant revenue loss that extended beyond the downtime period.<\/span><\/p>\nIn August 2024, approximately 40 French museums were hit by a ransomware attack, most notably the <\/span>Grand Palais<\/span><\/strong> and other institutions within the R\u00e9union des Mus\u00e9es Nationaux (RMN) network.<\/span><\/p>\nThe attack was detected on Sunday, August 4, 2024, and occurred during the Paris 2024 Olympics. <\/span>The Grand Palais was actively hosting fencing and taekwondo competitions at the time, while the Ch\u00e2teau de Versailles (also in the RMN network) was hosting equestrian sports and modern pentathlon events.<\/span><\/p>\n\n- \n
\n- \n
\n- The attackers encrypted parts of the <\/span>museums’<\/span> systems, requested a ransom in cryptocurrency, and threatened to leak data if payment <\/span>wasn’t<\/span> made within 48 hours.<\/span><\/li>\n
- Authorities confirmed that no data extraction was detected, and the Olympic competitions proceeded as planned.<\/span><\/li>\n
- The attack affected the RMN online shop (boutiquesdemusees.fr) but <\/span>didn’t<\/span> interrupt Olympic events.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
The Growing Threat Landscape for Cultural Institutions<\/span><\/strong><\/p>\nThe cyber-attack on the Met is far from an isolated incident. The threat landscape has only intensified since COVID:<\/span><\/p>\n\n- \n
\n- \n
\n- The British Museum<\/span><\/strong>(2025)<\/span><\/li>\n
- The French Museums<\/span><\/strong>(2024)<\/span><\/li>\n
- Museum of Fine Arts, Boston <\/span><\/strong>(2024)<\/span><\/li>\n
- Gallery Systems (software provider)<\/span><\/strong>(2023)<\/span><\/li>\n
- Optimizely \u2013 previously known as EpiServer (software provider) (multiple hacks and vulnerabilities since 2022)<\/span><\/strong><\/li>\n
- The 2022 Met Opera attack highlighted the vulnerability of even the most prestigious institutions<\/span><\/li>\n
- In 2020, hackers obtained access to personal information from hundreds of cultural institutions and NGOs<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Ransomware attacks on cultural institutions have increased significantly in recent years, with a notable rise of over 40% since 2022.<\/span> Additionally, AI-driven phishing attempts are becoming increasingly sophisticated, making it easier for hackers to execute social engineering scams. <\/span><\/p>\nThey\u2019re<\/span> crafting compelling messages that can trick employees into handing over sensitive data without a second thought. We also need to be worried about supply chain attacks. <\/span><\/p>\nCybercriminals are now targeting ticketing platforms and donation processing systems, which opens up new avenues for them to infiltrate organizations<\/span>. And <\/span>let\u2019s<\/span> not forget about state-sponsored hackers \u2014 they keep coming at institutions based on their public stance on international and political issues. <\/span>It\u2019s<\/span> essential to recognize that hackers <\/span>don\u2019t<\/span> discriminate; they target everyone, whether <\/span>you\u2019re<\/span> a Fortune 500 company, a small business, or a not-for-profit cultural institution like the RMN.<\/span> These places handle transactions, store customer info, maintain donor databases, and are increasingly dependent on digital infrastructure to keep things running smoothly.<\/span><\/p>\nWhile the attackers of the Met Opera were never publicly identified, <\/span>The New York Times underlined the <\/span>opera’s<\/span> vocal support for Ukraine amid the ongoing Russia-Ukraine<\/span> conflict\u2014a reminder that cultural institutions can become targets for geopolitically motivated cyberattacks.<\/span><\/p>\nWhy Cultural Organizations Are Prime Targets<\/span><\/strong><\/p>\nThe cyberattack on the Met should serve as a wake-up call to other cultural organizations. Anyone could be a target.<\/span> “<\/span>I usually warn clients that everyone, regardless of size or sector, is a target. It should not take an occurrence like this to wake up other cultural institutions to the fact that they are in grave danger,<\/span>” <\/span>says Richard Sheinis, partner and head of data privacy and cybersecurity at full-service legal firm Hall Booth Smith.<\/span><\/p>\nCultural<\/span> organizations, performing arts centers, theaters, museums, galleries, and educational institutions, are desirable targets for several reasons:<\/span><\/p>\nLimited Resources:<\/span><\/strong> They may not always have the time, money, skill set, or up-to-the-minute understanding to build a robust cybersecurity strategy.<\/span><\/p>\nLegacy Systems:<\/span><\/strong> Many cultural institutions operate on outdated technology that lacks modern security features and may no longer receive security updates.<\/span><\/p>\nValuable Data:<\/span><\/strong> Donor databases, patron information, payment processing systems, and intellectual property (recordings, digital archives) represent valuable targets.<\/span><\/p>\nHuman Factor Vulnerabilities:<\/span><\/strong> Unlike many for-profit organizations, which are often <\/span>victims of zero-day vulnerabilities, the bulk of security breaches in smaller enterprises and most non-profits are caused by preventable flaws in<\/span> human-device <\/span>interaction. The untold story of cybersecurity is how criminals<\/span> exploit the imperfect nature of humans to further their own goals, and this has only worsened with AI-generated phishing that can convincingly impersonate executives, board members, or vendors.<\/span><\/p>\nHigh-Profile Impact:<\/span><\/strong> Attacks on cultural institutions generate significant media attention, which appeals to hackers seeking notoriety or making political statements.<\/span><\/p>\nThe Post-Pandemic Reality<\/span><\/strong><\/h2>\nFinding funding for cybersecurity has always been difficult at non-profits, <\/span>but it is a worthy investment. A good security posture today can save hundreds of<\/span> thousands\u2014or even millions\u2014later. However, many people are hard-pressed to believe that it could happen to them.<\/span><\/p>\nWhile many cultural institutions have recovered operationally from the COVID-19 pandemic, the digital transformation forced by the pandemic has actually expanded their attack surface. Virtu<\/span>al programming, streaming services, expanded e-commerce, remote work arrangements, and cloud-based operations have all created new vulnerabilities that <\/span>didn’t<\/span> exist before 2020.<\/span><\/p>\nAdditionally, new regulatory requirements have emerged:<\/span><\/p>\n\n- \n
\n- \n
\n- Enhanced data privacy regulations (GDPR, CCPA, and state-level privacy laws)<\/span><\/li>\n
- Mandatory breach notification requirements with shorter timeframes<\/span><\/li>\n
- Incre<\/span>ased liability for data breaches, with potential fines reaching millions of dollars<\/span><\/li>\n
- Cyber insurance requirements that mandate specific security controls<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Modern Cybersecurity: Essential Steps for Cultural Institutions<\/span><\/strong><\/h2>\nBringing cybersecurity to the forefront in <\/span>cultural institutions is the first critical step. Subsequent evaluation of the infrastructure and investment in prevention, detection, and response can help<\/span> reduce the likelihood of cyberattacks while also mitigating the damage if one occurs.<\/span><\/p>\nRecommended Approach:<\/span><\/strong><\/h3>\n\n- \n
\n- \n
\n- Initial Assessment:<\/span><\/strong> Have your in-house IT team conduct a comprehensive security audit<\/span><\/li>\n
- Exper<\/span>t Partnership:<\/span><\/strong> If your organization lacks the means to retain in-house cybersecurity personnel, partner with third-party cybersecurity firms specializing in non-profit or cultural institutions<\/span><\/li>\n
- Board-Level Engagement:<\/span><\/strong> Ensure cybersecurity is a regular board agenda item, not just an IT concern<\/span><\/li>\n
- Cyber<\/span> Insurance:<\/span><\/strong> Obtain appropriate cyber liability insurance (though be aware that insurers now require proof of security controls)<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n
Critical Security Controls for 2025<\/span><\/strong><\/h2>\nUntil you engage a cybersecurity firm, implement these essential protections:<\/span><\/p>\nMulti-Layered Firewall Protection<\/span><\/strong><\/p>\nWhen<\/span> it comes to safeguarding your <\/span>institution’s<\/span> digital environment, <\/span>it’s<\/span> essential to utilize multiple layers of firewall protection. Start with an edge firewall provided by your internet service provider, which acts as the first line of defense against external threats. Within your organization, an institutional firewall shields your internal network from unauthorized access. For <\/span>systems that handle sensitive tasks, such as ticketing, donation processing, or managing customer relationships, application-specific firewalls provide an additional layer of security tailored to those specific needs. To s<\/span>tay ahead of evolving threats, consider <\/span>next-generation firewalls that include advanced features such as intrusion<\/span> detection and prevention, providing more robust protection for your critical systems.<\/span><\/p>\nNetwork Segmentation<\/span><\/strong><\/p>\nWhen organizing your network, ensure that you set up separate subdomains for internal and external connections to maintain a clear division between them. You<\/span>r payment processing systems should run on their own isolated network to maintain PCI-DSS compliance. The guest Wi-Fi needs to be wholly disconnected from the main operational networks your team uses daily. And whenever you can, go with a zero-trust model, which means verifying every single access request\u2014no matter where <\/span>it’s<\/span> coming from.<\/span><\/p>\nModern Encryption Standards<\/span><\/strong><\/p>\nHaving SSL\/TLS certificates on all your websites <\/span>isn’t<\/span> optional; <\/span>it’s<\/span> required. For any sensitive communications, ensure that <\/span>there’s<\/span> end-to-end encryption to keep information private from start to finish. When it comes to storing data, especially information such as donor and patron details, encrypt that data while <\/span>it’s<\/span> stored on your servers. Als<\/span>o, remember to regularly check and renew your certificates to maintain security and ensure everything remains up to date.<\/span><\/p>\nMulti-Factor Authentication (MFA)<\/span><\/strong><\/p>\nAll staff accounts, not just those belonging to administrators, need to have multi-factor authentication in place. Whenever someone tries to access institutional systems remotely, <\/span>it’s<\/span> absolutely required. Yo<\/span>