The security failures that allowed the Louvre Museum to be robbed in broad daylight, on October 19th, continue to multiply. It is now known that also the museum’s video surveillance system had weaknessesexposed over years in confidential documents, such as security audits, and competition notices, consulted by the French newspaper “Libèration”.
One of the documents analyzed refers to an audit of IT systems, carried out by the French National Cybersecurity Agency, in mid-December 2014. The Agency was also tasked with testing the museum’s security network, to which the most critical protection and detection equipment was connected, such as access control, alarms and video surveillance. The exercise revealed “Numerous vulnerabilities”.
During the test, cybersecurity experts managed to infiltrate the network with surprising easefrom outside the museum. Technicians managed to enter the system and create ideal conditions to “damage the video surveillance system, compromising outdated servers” and “change the permissions granted to a badge”, for example.
“Libération” reveals that the Louvre was vulnerable to attacks potentially carried out by an attacker located outside the museum, “mainly due to the fragility of certain passwords”. To access a server that manages the museum’s video surveillance system, all you had to do was type the word… “LOUVRE”. Another password used was “THALES” to access a software produced by the company… Thales.
Entrance to the Louvre Pyramid in Paris
NurPhoto / Getty Images
According to the French newspaper, the documents consulted revealed “a long history of major cybersecurity vulnerabilities at the Louvre, to which the museum had been alertedbut not all of them were corrected.”
A new audit completed in 2017, carried out by the National Institute for Advanced Studies in Security and Justice, found the same degraded scenario. “Major deficiencies were observed in the system as a whole”, some of them similar to those identified in the previous assessment.
Although the museum “has been relatively spared until now, can no longer ignore the potential threat of an attack with potentially dramatic consequences”, warned the document.
The list of vulnerabilities revealed by analyzes of the state and functioning of the Louvre also includes insufficient training of the security team or aspects as everyday as a poor management of visitor flow ea easy access to the interior of the museum through the roof during the execution of works.
The audit also warned that the Louvre’s office network uses outdated operating systems, such as Windows 2000 and Windows XP, “no antivirus updates, no passwords or session locks“. In the style of those who dealt with inexperienced users, it was recommended to change passwords more frequently.
The most sought after museum in the world — 8.7 million visitors in 2024 — has been within the reach of amateurs. According to “Libèration“, the facades of this concrete giant, which stretches over 1.3 kilometers, have been monitored by just five surveillance cameras.