The theft of jewellery from the Louvre and that of Coțofenești's Golden Helmet from the Drents Museum in Assen received a lot of public attention. Such classic museum heists invariably evoke the image of The Pink Panther or Ocean's Eleven: a romanticised world of master thieves who manage to rob a museum or business with flair and dexterity.
Cyber-attacks and digital thefts do not know that romanticised world and therefore receive much less media attention. This is unjustified. Precisely by continuing to treat them as isolated ‘incidents’ frame, masks the fact that this is a structural and rapidly growing risk for the museum sector.
When at the Staatliche Kunstsammlungen Dresden this month their online ticketing, shopping systems and telephony went down after a targeted cyber attack, the damage was seemingly limited. The museums remained open, the art was safe, the Saxon Culture Ministry reported. But behind those reassuring words hid an uncomfortable reality: one of Europe's oldest and most prestigious museum networks turned out to be digitally vulnerable in the very places where audiences, revenue and daily operations converge.
The incident in Dresden was not an isolated one. A few weeks earlier, here in the Netherlands, the Veenkoloniaal Museum in Veendam was hit by ransomware from the LockBit group. Systems were encrypted, data captured and the museum faced deflection: pay or public dissemination of stolen information. Director Hendrik Hachmer responded remarkably openly.
„We are not going to negotiate with this group,” he said. „This can happen to anyone. The only party that should feel guilty is the hackers.”
That statement is sympathetic - but also problematic. Because the very idea that cyber incidents can ‘happen to anyone’ has a paralysing effect. It suggests inevitability, while much damage comes from managerial underestimation, poor preparation and lack of explicit responsibility.
The digital back of the museum
Museums have digitised at lightning speed over the past 10 to 15 years. Online ticketing, collection databases, digital depots, educational platforms, web shops, CRM systems for members and donors - often linked to external suppliers. That digital layer is now as essential as the building, the depot or the security of the rooms.
Yet in many museums, cyber security is still seen as a technical detail, invested in a small IT department or an external supplier. Boards and supervisory boards speak at length about audience reach, inclusion and sustainability, but rarely about digital resilience. An older DEN report from 2023 already found that museums are digitising but hardly investing in structural cyber risk management. That conclusion has hardly caught up since then.
That picture was confirmed in more than 50 interviews I conducted with museum directors and museum regulators in Europe in 2025. Almost all acknowledged that cyber risks are increasing. Only a few could explain how those risks are invested in governance, calculated financially or discussed periodically at board level. Cybersecurity was rarely part of the risk register, let alone scenario planning.
What a cyber incident really costs
One of the most persistent misconceptions is that cyber incidents are mainly an IT problem. In reality, they affect the entire functioning of a museum. Analyses of recent incidents in the cultural sector show how broad and layered the impact is - financial, organisational and managerial.
The Museum Cyber Incident Cost Calculator, developed based on real incidents at cultural institutions, shows how wide-ranging the impact is. The direct IT costs - servers, software, recovery - are often still the most visible. But on top of this come loss of turnover through lost ticket sales and webshops, extra staff costs, the deployment of external forensic experts, legal obligations around AVG notifications, intensive communication with the public and stakeholders, reputation damage and unavoidable investments in extra security after the incident. In severe cases, these costs amount to 25, 50 or even more than 100 per cent of annual operations.
In doing so, not every cyber incident is the same. Ransomware is among the most disruptive scenarios: systems become hostage, data inaccessible and recovery often requires a complete rebuild of the digital infrastructure. Data breaches have a different cost profile, with lengthy legal processes, reporting obligations and lasting reputation risk.
Less visible, but no less damaging, are system corruption and digital service outages, where museums fall back on manual processes for weeks or months. It is striking how structurally the recovery time is underestimated: where beforehand it is thought in days or weeks, in practice recovery often turns out to be a matter of months and often files are lost or damaged forever.
The British Library and the National Museum of the Royal Navy, with their cyber incidents, are now the industry's bugbear: multi-million dollar recovery costs, months of disruption and a forced complete rebuild of IT infrastructure. But these very examples are often dismissed as ‘too big’ or ‘too exceptional’ - as if medium-sized and smaller museums are beyond reproach.
The opposite is true. Smaller institutions are especially vulnerable: limited IT budgets, many volunteers, outdated systems and a strong dependence on external suppliers. The Veenkoloniaal Museum spent a little more than a week recovering after the ransomware attack, not because the damage was minor, but because backups had been made outside the building in December. The internal backups had also been hacked.
That the museum was still able to continue operating was because they were still working with paper copies of crucial information. It illustrates how thin the dividing line is between resilience and disruption - and how often continuity relies on coincidence rather than thoughtful risk management. And the website of the Staatliche Kunstsammlungen Dresden is still offline at the time of writing.
Transparency as a litmus test
It is striking how differently museums communicate after a cyber incident. In Dresden, it was stressed that the collections were safe and that physical security remained intact. This is understandable, but it masks the fact that digital disruption now has direct implications for accessibility, revenue and public service.
The Veenkoloniaal Museum chose to be open about the attack, the origin of the hackers and the nature of the data captured. This is commendable - and at the same time confrontational. Transparency turns out to be a litmus test: those who have not thought through scenarios beforehand, those who do not have a crisis communication plan, soon find themselves caught between legal caution and public accountability after an incident.
Museums in particular, as public institutions with a social mission, cannot afford such vagueness. Trust is their most important capital - and that trust is as vulnerable digitally as it is physically.
Administrative responsibility
Cyber risks are no longer a peripheral phenomenon. They touch the core of the museum mission: access to heritage, care for collections, reliability towards the public and subsidisers. That makes cybersecurity undeniably a governance issue.
So the question is not whether a museum will ever be attacked, but how prepared it is. Is it clear who decides in the event of an incident? Is it known what a month of digital downtime will mean financially? Is insured what is insurable - and are people aware of what is not covered?
It remains surprising how little attention is paid to this structurally in the sector. Especially now that digitalisation is presented as an engine for reach and relevance, digital resilience should naturally be part of good governance.
From blind spot to basic condition
Cyber security is neither a luxury nor a fear project. It is a basic requirement for continuity. Just as fire safety, depot management and financial control were once professionalised, cyber risk management will also have to be firmly embedded in policy, supervision and accountability.
The recent ‘incidents’ in Dresden and Veendam are no longer incidents, but signals. Those who continue to read them as bad luck or coincidence miss the structural message. Museums are not soft targets because they are naive, but because they allow themselves to be so.
The real question is not whether museums are digitally vulnerable - they are. The question is how long administrators and supervisors can afford not to explicitly face that.
Nederlands 
English (UK) 
Français 