A cyberattack on one of Italy’s prominent cultural institutions highlights a sector adept at physical security but neglectful of digital safeguards.
On the weekend of February 1, 2026, Uffizi Galleries staff in Florence found their email accounts suspended, internal servers inaccessible, and the museum’s administrative systems down on Monday morning. The malware infiltrated through a tiny overlooked vulnerability in software managing low-resolution images on the museum’s site. Within hours, the attacker traversed the network linking Uffizi, Palazzo Pitti, and Boboli Gardens, accessed the photographic archive server, and, according to Corriere della Sera, sent a ransom demand to director Simone Verde’s personal phone.
The Uffizi’s official statement was prompt and unambiguous: nothing was stolen, no security systems were compromised, and it was “nothing like the Louvre.”
This comparison, meant to reassure, highlights the state of cultural security in Europe. The Uffizi cyberattack is notable not for what it damaged, but for what it revealed: a sector skilled in physical protection yet vulnerable digitally.
The Louvre comparison was intentional. On October 19, 2025, disguised thieves used a freight lift to reach a Louvre balcony, cut through a window, and in eight minutes stole French Crown Jewels valued at about €88 million. A Senate investigation found only 39% of rooms under CCTV surveillance, a misdirected external camera, and the surveillance system password was “Louvre.”
Director Laurence des Cars resigned in February 2026. The jewels remain missing.
The Uffizi distinguished itself as its attack was digital, not physical. No intruders or damaged displays. The museum stayed open. Visitor areas were unaffected. The main disruption was the time taken to restore backups.
Yet, this distinction obscures an unsettling truth. The Louvre heist exploited an old weakness: a poorly guarded window. The Uffizi incident belongs to a different realm: invisible threats, limitless perimeters, and damages that may take months to fully grasp.
The discrepancy between Corriere della Sera’s report and the Uffizi’s acknowledgment is notable. The paper described a prolonged intrusion, accessing the entire museum network, extracting codes, internal maps, and CCTV locations, seizing photographic server control, and sending a ransom demand with a threat to auction the data on the dark web.
The Uffizi denied most of this. It stated its physical security runs on isolated networks, inaccessible externally. No passwords were stolen. Camera locations in a museum are public, making their “discovery” trivial. The photographic archive had a complete backup.
Agreed upon is the malware’s penetration of administrative systems in late January and early February, staff email disruption, an Italian investigation into attempted extortion and unauthorized computer access, and technical links to BabLock, a ransomware strain also known as Rorschach, associated with La Sapienza University of Rome’s attack.
The Uffizi confirmed moving Medici-era treasures to the Bank of Italy and sealing some doorways with bricks and mortar, citing planned renovations and fire safety compliance. The upgrade to digital surveillance, recommended in 2024 and accelerated after the Louvre heist, has reasonable explanations, but the timing is hard to view as coincidental.
The Uffizi incident is significant not for severity but typicality. Cultural institutions in Europe and North America are increasingly facing cyberattacks, revealing a sector unprepared for the threat.
In October 2023, the ransomware group Rhysida attacked the British Library, leaking over 600 GB of data after non-payment, with recovery costs estimated at £6 to £7 million. Late 2023 saw an attack on Gallery Systems, affecting major American museums like the Museum of Fine Arts Boston, disrupting digital collections and operations.
The Metropolitan Opera in New York faced a 2022 cyberattack disrupting its website, box office, and call center. Hackney Museum in London was involved in a broader council attack in 2020, described as a “digital building burning down” by its curator.
These prominent institutions, as of 2024, reported only 69% having emergency plans, primarily addressing analogue risks: earthquakes, floods, fires. Not ransomware or data breaches, or network compromises connecting cameras, ticketing, databases, and records digitally.
The Uffizi case epitomizes what the cybersecurity community has warned: the convergence of physical and digital security in heritage institutions. Museums aren’t banks; they lack network segmentation designs, have ancient buildings, minimal IT budgets, yet rely on networked systems for climate control, access, surveillance, ticketing, and documentation—all potentially vulnerable.
When a cyberattacker maps CCTV and alarms, the threat goes beyond digital, aiding physical crime. When ransomware controls an archive, the leverage is cultural: risking a nation’s artistic heritage documentation.
While the Uffizi claims its closed-circuit systems remained uncompromised, the fact that such questions arise shows the thinning barrier between digital intrusion and physical