Museum world hit by cyber attack on commonly used software

Several leading museums have been unable to display their collections online since a cyberattack hit a leading technology services provider that helps hundreds of cultural organizations digitally display their works and manage internal documents.

The Museum of Fine Arts Boston, the Rubin Museum of Art in New York and the Crystal Bridges Museum of American Art in Arkansas were among the institutions that confirmed their systems had experienced outages in recent days.

The service provider, Gallery systems, said in a recent message to customers obtained by The New York Times that it noticed a problem on December 28, when computers running the software became encrypted and could no longer function. “We have taken immediate steps to isolate those systems and implemented measures to prevent additional systems from being affected, including taking systems offline as a precaution,” the company said in the release. “We have also launched an investigation and external cyber security experts have been brought in to assist. Moreover, we have informed the police.”

Gallery Systems did not immediately respond to email and telephone requests for comment.

Signs of disruption were visible on several museum websites eMuseum, a tool that typically allows visitors to search online collections, was offline. There was also disruption behind the scenes: Some curators said they had returned from their winter vacation to find they could not access sensitive information from another Gallery Systems program called TMS. That system can contain the names of donors, loan agreements, provenance information, shipping information and storage locations of valuable works of art.

“We noticed the outage starting on December 28,” said Sandrine Milet, spokeswoman for the Rubin Museum. “TMS was active again yesterday while eMuseum was not yet available.”

T. Barton Thurber, director of the Frances Lehman Loeb Art Center at Vassar College, said, “I can confirm that our museum – along with many others – was unfortunately affected by the attack.”

Paige Francis, Chief Information Officer at Crystal Bridges, said: “We are particularly concerned about the public’s inability to benefit from viewing our collection remotely during this disruption.”

According to some security experts, cyber attacks against cultural groups are becoming more common. In November, personal information was stolen from the British Library by a ransomware group, which posted images of internal staff files. The Metropolitan Opera and the Philadelphia Orchestra also faced cyber attacks last winter, hampering their ability to sell tickets online.

In many cases, these attacks come from ransomware groups, which hold the online service hostage until victims pay a sum. The nature of the attack on Gallery Systems was not clear.

Some museums that rely on Gallery Systems — including the Metropolitan Museum of Art and the Whitney Museum of American Art — said they are not affected because they host their own databases.

It was not immediately clear how widespread the cyberattack was, or what its full impact would be.

“The objects in museums are valuable, but the information about them is truly priceless,” said Erin Thompson, professor of art crime at the John Jay College of Criminal Justice in New York. “Often generations of curators have worked to research and document an artifact. If this information were lost, the blow to our knowledge of the world would be enormous.”