Hackers Saw the Asian Art Museum of San Francisco as Ripe for a Ransom Attack. Are Other Cultural Institutions Next?

Museums' access to information about wealthy individuals make them attractive targets, experts say.

A computer hacked by a ransomware virus known as Petya, which hit Russian and Ukrainian companies on June 27, 2017. Photo by Donat Sorokin/TASS/Getty Images.

In recent months, ransomware attacks have debilitated local governments in Baltimore and Atlanta and sought to extort millions of dollars from small school districts and colleges. Now, museums appear to be under threat as well. And their ties to wealthy donors make them a particularly appealing mark, experts say.

News recently surfaced that hackers targeted the Asian Art Museum in San Francisco in a ransomware attack in May. The museum was able fight back, enlisting the city’s IT security experts to regain control of its computer network. But the incident raises concerns about the vulnerability of cultural institutions when it comes to cyber security.

“I’m surprised that hacking hasn’t happened at more museums,” Tyler Cohen Wood, a cyber security consultant and the former cyber deputy chief of the Defense Intelligence Agency, told artnet News. “Hackers are interested in getting personal information, something that’s of monetary value—such as ‘these donors have this artwork and they’re going to donate this at this time.'”

It might sound like the plot of a dramatic Hollywood blockbuster, but according to Wood, it’s well within the realm of possibility that hackers might target an art museum in order to plan a robbery.

The Asian Art Museum of San Francisco. Photo by Bjjung, from Wikimedia Commons.

The Asian Art Museum of San Francisco. Photo by Bjjung, from Wikimedia Commons.

The San Francisco hacking attempt was first reported by the city’s local ABC affiliate, which confirmed that the museum refused to pay the demanded ransom, in keeping with official city policy. According to the news outlet, almost a dozen cities across the country have fallen victim to this growing threat. Often deployed by tricking users into downloading what appear to be legitimate files, ransomware is a type of malware where the hacker threatens to publish or block access to the victim’s data unless a ransom is paid.

“We do not know who attacked us and we did not communicate with them,” said Tim Hallman, the museum’s director of communications and business development, in an email to artnet News. He declined to provide details about the nature of the attack or the tactics used to overcome it. (“We don’t want to invite scrutiny or challenges from malefactors,” he said.)


How to Protect Your Institution

To protect themselves, “museums, like all public and private institutions, need to have proper up-to-date intrusion and malware protection on their systems,” Wood said. But it’s also critical, she explained, to understand the importance of the human element: most ransomware is introduced via phishing scams over email—and they have become increasingly sophisticated. That means museums need to hold regular training programs to educate employees to avoid clicking suspicious links or downloads and teach them how to respond should they accidentally download malware.

“One of the most important things to teach the users on your network is if they do see a ransomware box pop up, based on company policy, they want to immediately disconnect that computer from the network, whether that’s the wireless or they have to physically pull the plug,” Wood warned. That way, the malware will stay contained on the user’s computer, rather than infecting the entire network.

Another important step: Keeping your most valuable information under digital lock and key. “One of the biggest things that an organization wants to do is to make sure that the crown jewels, no pun intended—the passwords and the private or personal information—is completely segmented off from their regular network,” Wood explained. “They should have access controls in place so that if someone does get into one of the computers, they can’t jump into the most important network.” (This is all the more critical in the case of government museums, which should have separate network from cities and other municipal groups.)

A laptop displays a message after being infected by a ransomware as part of a worldwide cyberattack that hit more than 200,000 victims in more than 150 countries in 2017. Photo AFP PHOTO/ANP/Rob Engelaar/Netherlands /Getty Images.

A laptop displays a message after being infected by a ransomware as part of a worldwide cyberattack that hit more than 200,000 victims in more than 150 countries in 2017. Photo: AFP PHOTO/ANP/Rob Engelaar/Netherlands /Getty Images.

Remarkably, the Asian Art Museum attack did little to disrupt the museum’s normal activities. “Throughout, we kept our doors open, welcoming visitors to the galleries, store, and café,” insisted Hallman. “We never canceled any programs, and construction on our expansion was not impacted and remains on track for completion next spring.”

“We have really reached a point where security has to be a part of everybody’s job,” Wood said. “Just having training course are good, but it’s not enough. We live in a digital world, so becoming more vigilant is the best way to secure our data and information.”

Follow Artnet News on Facebook:

Want to stay ahead of the art world? Subscribe to our newsletter to get the breaking news, eye-opening interviews, and incisive critical takes that drive the conversation forward.