Cyber Security for Museums

It seems that not a day goes by that we don’t hear about some breach in cyber security. But why should Museums be concerned with this relatively new aspect of crime? After all, museums don’t hold vast amounts of money in their vaults. They deposit their checks as we all do. We want our financial institutions to be as secure as possible.

What if your home were destroyed in a fire or hurricane. You would want to retrieve what you could of the surviving family memorabilia, documents, and photographs to put your life back together again.

So it is for the provenance and history of an object in a museum collection. Over years of scholarship information has been gathered. When, where, and by whom was it made? Who has owned it since? With an ancient piece where and when was it found. Imagine in a collection that has 10’s 100’s of thousands of objects, or even in a few cases millions, where this information might have to be relearned.

This leads to ransomware. The perpetrator will lock the computerized information system so that an institution and its audience can no longer access its collection information or make it available online until they pay the demanded ransom.

For the museum staff, this is critical as it includes not only scholarship but essential operating information like storage location, and documents like loan agreements. The public has come to make use of information on museums’ collections through their websites. Where would I be either as an art dealer, a blogger, or just an art aficionado if I could no longer see what a museum has in its inventory? As a scholar or art-lover, I would want to identify the museums holding works by an artist I am interested in. As a dealer, I want to know which museums have works related to the one I have to offer.

In The New York Times, Zachary Small reported this past January that major museums such as The Museum of Fine Arts, in Boston, the Rubin Museum of Art in New York, and the Crystal Bridges Museum had experienced disruptions in late December caused by hackers targeting the software they use.

Gallery Systems one of the major service providers admitted that on December 28 computers running its software became encrypted and could no longer operate.

One precaution was to take other potential target clients offline. You can imagine the progression of all museums using this well-known software would all go offline at once. The company had to hire cybersecurity experts in their investigation and involve law enforcement as well. Although the Whitney Museum and Metropolitan Museum use Gallery Systems they did not experience disruption as they host their own databases.

In an article for the Insurance Journal this past February Elizabeth Blosfield,

quotes John Farley, managing director of Gallagher’s cyber practice stating that cyber criminals are “going after key suppliers in the supply chain, so we’re talking about software providers. And the reason they’re doing that is because they know that those software providers probably have hundreds, if not thousands, of other clients whose data they take in” as well as details about their members.

As we have learned we need to be ever vigilant as must the organizations that we trust and rely on.