A cyberattack on one of Italy’s greatest cultural institutions reveals a sector that has mastered physical security and ignored the digital kind.

On the weekend of 1 February 2026, staff at the Uffizi Galleries in Florence arrived on Monday morning to find their email accounts suspended, their internal servers unreachable, and the administrative backbone of one of the world’s most celebrated museums effectively dark.

The malware had come in through a vulnerability linked to software managing low-resolution images on the museum’s website, a door so small that nobody had thought to lock it. Within hours, whoever was on the other end had moved laterally through the network connecting the Uffizi, Palazzo Pitti, and the Boboli Gardens, touching the photographic archive server and, according to the Italian daily Corriere della Sera, sending a ransom demand directly to the personal phone of director Simone Verde.

The Uffizi’s official response was swift and categorical: nothing was stolen, no security systems were compromised, and the incident was “nothing like the Louvre.”

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

That comparison, intended to reassure, may be the most revealing thing anyone has said about the state of cultural security in Europe. Because the Uffizi cyberattack is not interesting for what it destroyed.

It is interesting for what it exposed: a sector that has spent centuries perfecting the art of physical protection while sleepwalking into digital vulnerability.

The Louvre reference is not casual. On 19 October 2025, thieves disguised as construction workers used a freight lift to reach a second-floor balcony of the Louvre, cut through a window, and in under eight minutes made off with eight pieces of the French Crown Jewels valued at approximately €88 million. A subsequent Senate inquiry revealed that only 39 per cent of the museum’s rooms were covered by CCTV, that one external camera had been pointed the wrong way, and that the surveillance system password was, simply, “Louvre.”

Director Laurence des Cars eventually resigned in February 2026. The jewels remain missing.

The Uffizi, then, had good reason to draw the distinction. Its attack was digital, not physical. No masked men, no cherry pickers, no shattered display cases. The museum stayed open throughout. Ticketing and visitor areas were unaffected. The only operational disruption, the Uffizi said, was the time required to restore backups.

But the distinction, while technically accurate, obscures a more uncomfortable truth. The Louvre heist was an old crime committed against an old weakness: a poorly guarded window. What happened at the Uffizi belongs to a different category entirely, one where the threat is invisible, the perimeter is infinite, and the damage may not be fully understood for months.

The gap between what Corriere della Sera reported and what the Uffizi acknowledged remains conspicuously wide. The newspaper described a prolonged intrusion in which attackers gained access to the entire museum network, extracted access codes, internal maps, and CCTV camera locations, took control of the photographic server, and then sent a ransom demand accompanied by a threat to auction the compromised data on the dark web.

The Uffizi denied nearly all of this. It said its physical security systems operate on closed internal networks, inaccessible from outside. It said no passwords were stolen. It pointed out that camera locations in a public museum are visible to any visitor, making their “discovery” unremarkable. It said the photographic archive had a complete backup.

What is not disputed is that malware did penetrate administrative systems in late January and early February, that staff email was disrupted, that Italian authorities opened an investigation for attempted extortion and unauthorised computer access, and that technical commentary has linked the incident to BabLock, a ransomware strain also known as Rorschach, previously associated with an attack on La Sapienza University of Rome.

The Uffizi also confirmed that it had moved Medici-era treasures to the Bank of Italy and sealed certain doorways with bricks and mortar, though it attributed both actions to planned renovations and fire safety compliance. It said the replacement of analogue surveillance cameras with digital ones had been recommended by police in 2024 and accelerated after the Louvre heist. Reasonable explanations. But the timing makes them difficult to read as purely coincidental.

What makes the Uffizi incident significant is not its severity but its typicality. Cultural institutions across Europe and North America have been absorbing cyberattacks with increasing frequency, and the pattern reveals a sector structurally unprepared for the threat.

In October 2023, the ransomware group Rhysida hit the British Library, ultimately leaking more than 600 gigabytes of stolen data after the library refused to pay. The estimated recovery cost reached £6 to £7 million. In late 2023, an attack on Gallery Systems, a software provider used by major American museums including the Museum of Fine Arts Boston and Crystal Bridges, rippled across its entire client base, disrupting digital collections and operations.

The Metropolitan Opera in New York suffered a cyberattack in 2022 that knocked out its website, box office, and call centre. Hackney Museum in London was caught in a broader attack on its parent borough council in 2020, in an incident its project curator later described as a “digital building burning down.”

These are not obscure institutions. They are among the most prominent cultural organisations in the world. And yet, as of 2024, only 69 per cent of museums in the United States reported having emergency response plans, and those plans overwhelmingly addressed analogue risks: earthquakes, floods, fire.

Not ransomware. Not data exfiltration. Not the quiet compromise of a network that connects cameras, ticketing, donor databases, and conservation records through a single digital spine.

The Uffizi case crystallises something the cybersecurity community has warned about for years: the convergence of physical and digital security in heritage institutions. Museums are not banks. They were not designed with network segmentation in mind.

Their buildings are centuries old. Their IT budgets are negligible. And yet the systems they now depend on, climate control, access management, surveillance, ticketing, collection documentation, are all networked, all connected, all potentially vulnerable.

When a cyberattacker maps the position of CCTV cameras and alarm systems, the threat is no longer purely digital. It becomes a reconnaissance tool for physical crime. When a ransomware group takes control of a photographic archive, the leverage is not just financial but cultural: the risk of losing or corrupting irreplaceable documentation of a nation’s artistic patrimony.

The Uffizi may be right that its closed-circuit security systems were never compromised. But the fact that the question even arises, that the connection between digital intrusion and physical vulnerability must be explicitly denied, tells you how thin the membrane has become.

The political response in Italy has been revealing. Former Prime Minister Matteo Renzi, who previously served as mayor of Florence, publicly attacked Culture Minister Alessandro Giuli, asking what he had done to protect the Uffizi.

Florence’s mayor, Sara Funaro, called for stronger digital security measures in cultural institutions. Trade unions raised concerns that physical countermeasures such as sealed doors might interfere with emergency evacuation routes in historic buildings.

Meanwhile, just weeks earlier, on the night of 22 March, four hooded thieves broke into the Magnani Rocca Foundation near Parma and stole paintings by Renoir, Cézanne, and Matisse in under three minutes, an entirely physical crime at an institution that apparently had an alarm system but not enough of a deterrent.

Italy, a country that holds perhaps the largest concentration of cultural treasures on earth, is now dealing with both categories of threat simultaneously: the old-fashioned smash-and-grab and the silent digital intrusion. And neither its political class nor its institutional leadership appears to have a coherent strategy for either.

There is a temptation, when an institution says nothing was stolen, to treat the incident as a near miss. This would be a mistake. The Uffizi attack, whatever its true scope, is a proof of concept. It demonstrated that the administrative systems of a world-class museum can be penetrated through a trivially small entry point. It demonstrated that an attacker can move laterally through interconnected networks linking multiple historic sites.

And it demonstrated that the public narrative after such an attack will be dominated by disagreement over what actually happened, a fog of conflicting claims that may itself become a tool for future adversaries.

Cultural institutions are not classified as critical infrastructure in most countries. They do not receive the mandatory cybersecurity audits, the dedicated funding, or the regulatory scrutiny that hospitals, energy grids, and financial systems do. 

They exist in a category of their own: publicly cherished, chronically underfunded, and now digitally exposed.

The Uffizi was right about one thing. What happened to it was nothing like the Louvre. It was, in some ways, worse. A jewel heist is dramatic, visible, and finite. A cyberattack is quiet, ambiguous, and its consequences unfold over months. The thieves who broke into the Louvre left through a window. The ones who got into the Uffizi may never have been in the building at all. And that, precisely, is the problem that Europe’s cultural institutions have not yet begun to solve.