Art Held Hostage:
How Smart Systems’ Vulnerabilities Threaten the World’s Museums and Galleries Automatic translate

A museum has long ceased to be a quiet storage facility where the main risks are fire, damp, or a broken-in display case. Behind the walls of the exhibition halls, a dense technical environment operates: servers, cash registers, accounting databases, lighting controllers, climate control units, cameras, and access control systems — and if this environment fails, the problem quickly spreads beyond the IT department.

In a typical company, ransomware disrupts sales and access to documents. In a cultural institution, the consequences are far more widespread: access to the catalog is lost, employees can’t see work movement data, the cash register freezes, and the security team loses partial visibility through cameras. Moreover, many processes are interdependent, and a single damaged server can disrupt the chain, where each section relies on the next.

The problem is exacerbated by the environment itself. Many museums are located in old buildings, where utility systems were added piecemeal — new sensors were installed next to old automation systems, local networks were installed without a complete overhaul, and contractors were allowed access after installation "just in case." In reality, the resulting network is a mixture of office, technology, and public networks, where the boundaries are blurred, and event logging is short-lived or nonexistent.

Against this backdrop, the attack model is also changing. A thief who previously looked for an open window or lax night security is now looking for a contractor with a simple password, open remote access, or a forgotten service on an old computer. The goal is no longer the painting itself, but rather the opportunity to pressure the museum through its weak point: encrypting the archive, blocking the box office on the day of a major exhibition, replacing media content, or tampering with the climate control system.

Climate and automation

Particular risks are associated with systems that are barely noticeable to the viewer. Temperature, humidity, airflow, and lighting must be controlled within a narrow corridor — otherwise, canvas, paper, wood, varnish, glue, and fabric will suffer. Even in small private galleries, where accounting is managed using standard office programs and a server protected by Kaspersky Small Security shields the archive and cash register from external threats, a technical failure in adjacent engineering systems quickly ceases to be a "computer problem" and becomes a threat to the exhibits.

For many materials, smoothness and stability are crucial. A sudden change in humidity is just as dangerous as a prolonged fluctuation. During storage and display, temperatures around 20°C and relative humidity around 50% are often maintained, with minimal daily fluctuations. If an intruder alters the settings, disables sensors, or distorts telemetry, staff may not immediately notice the problem, and sometimes only during a routine inspection in the restoration workshop.

Damage to an artwork can occur slowly. If a cash register has fallen, it’s immediately visible. If the warehouse has been exposed to undesirable humidity for several hours, signs of damage will appear later.

The threat doesn’t always manifest as a high-profile attack. It often begins with silent access through an old remote service channel, a default password on a controller, or a dispatcher’s work computer used for internal communications and third-party websites. The attacker then moves through the network, searching for nodes without encryption, logging, or proper privilege management — and the automation systems were often designed for uptime, not intrusion resistance.

Digital vandalism and public networks

A separate class of risks has emerged around interactive exhibits. Multimedia walls, projectors, touch panels, kinetic objects, and sound systems are often connected to a shared network, which presents a visually appealing experience to visitors and a convenient entry point for attackers. If the administration is poorly organized, content can be substituted, the show stopped, and the equipment thrown into an abnormal mode while the exhibit is in operation.

Content substitution is no longer an abstract scenario. A poorly protected minicomputer behind a screen or a wireless segment without proper insulation is enough. The screen where digital reconstruction is supposed to take place starts showing someone else’s video or a system message. The public immediately notices the glitch, while employees are preoccupied with reputational damage and may miss deeper network penetration.

Public access also creates cracks. Guest Wi-Fi, ticket kiosks, media guides, and hall map kiosks — all of these should be separate from the back-end and technology components. In practice, this separation isn’t always achieved, and is sometimes replaced by router logic or a single password for everyone. If a visitor’s device gains access to internal nodes, a random error quickly becomes a foothold for a targeted entry.

Archives, provenance and silent blackmail

A digital archive is no less vulnerable. For a museum, this isn’t just a collection of files — it contains acceptance certificates, condition reports, high-resolution photographs, X-rays, restoration notes, transport contracts, ownership information, and the provenance of the object. The loss of such a massive archive impacts several areas at once: it disrupts record-keeping, complicates authenticity verification, and sensitive information about individuals becomes a commodity on the shadow market.

Provenance is particularly sensitive. For some works, the ownership history is incomplete or pieced together, so any edit to the database — even a minor one — can trigger a lengthy dispute. If the attacker doesn’t encrypt the data, but quietly alters the records, the tampering is more difficult to detect. The error often surfaces late: during an appraisal, an insurance check, or preparation for an exhibition. Here, the damage stems not from noise, but from a lack of trust in a record that was previously considered reliable.

Ransomware is especially dangerous in environments where digitalization has been ongoing for years, and backups are merely formally maintained. A common problem is that a backup is stored on the same network, visible under the same credentials, and therefore encrypted along with the working volume. Even worse is when part of the archive is stored on external drives without regular read verification: employees are confident that a backup exists, but during a disaster, it turns out that the drive has physically degraded and the checksum doesn’t match.

Security in such an environment requires routine discipline, not grandiose declarations. Contractor access is limited by time and node list, the service network is separated from the guest network, and the engineering network from the office network. Archive copies are kept outside the main network and recovery is regularly tested. Accounts are reviewed after each exhibition and each project. Without this work, the museum remains an easy target for blackmail, which simultaneously affects funds, the exhibition schedule, and the objects themselves.