The recent theft of the crown jewels from the Louvre in Paris has revealed a problem much deeper than just physical gaps in security. The IT sector’ s attention was drawn to reports of fundamental negligence in cyber security that had been ignored for years at one of the world’s most important cultural institutions.
The French daily Libération, citing confidential documents, revealed findings sounding like the script of a 1990s hacker movie. The access password for the server managing the museum’s entire video surveillance system was ‘LOUVRE’. Other reports indicate that the password “THALES” was used for software supplied by the Thales arms company.
These are not new problems. Already in 2014, an audit by the French national cyber security agency (ANSSI) alerted that the museum’s systems had numerous vulnerabilities and relied on extremely weak passwords.
A key problem proved to be a deep technological debt. The Louvre’s internal networks were supposed to rely on operating systems such as Windows 2000 or Windows XP. Both of these systems have not received any security updates from Microsoft for over a decade, making them a trivial target for attackers.
While there is no official confirmation yet whether these particular software vulnerabilities have been exploited by thieves, the situation exposes a failure in IT risk management. The fact that the basic principles of digital hygiene have been ignored for years shows that even the most prestigious institutions are not immune to the consequences of neglecting to upgrade their technology infrastructure.
