Cyber Incident Victim: Uffizi Galleries

On the weekend of 1 February 2026, staff at the Uffizi Galleries in Florence arrived on Monday morning to find their email accounts suspended, their internal servers unreachable, and the administrative backbone of the museum effectively dark. The malware had entered through a vulnerability linked to software managing low-resolution images on the museum’s website. Within hours, the attacker moved laterally through the network connecting the Uffizi, Palazzo Pitti, and the Boboli Gardens. The attacker reached the photographic archive server. According to the Italian daily Corriere della Sera, the intruder extracted access codes, internal maps, and CCTV camera locations, took control of the photographic archive server, and sent a ransom demand directly to the personal phone of director Simone Verde. Corriere della Sera also reported that the attacker threatened to auction the compromised data on the dark web. The Uffizi’s official response was swift and categorical: nothing was stolen, no security systems were compromised, and the incident was described as "nothing like the Louvre." The museum stated that its physical security systems operate on closed internal networks inaccessible from outside, that no passwords were stolen, and that camera locations in a public museum are visible to any visitor, making their "discovery" unremarkable. The Uffizi noted that the photographic archive had a complete backup. It confirmed that malware had penetrated administrative systems in late January and early February, that staff email was disrupted, and that Italian authorities had opened an investigation for attempted extortion and unauthorised computer access. Technical commentary linked the incident to the BabLock ransomware strain, also known as Rorschach, which had previously been associated with an attack on La Sapienza University of Rome.

The Uffizi said that ticketing and visitor areas remained open throughout the incident and that the only operational disruption was the time required to restore backups from the photographic archive. The museum confirmed that it had moved Medici-era treasures to the Bank of Italy and had sealed certain doorways with bricks and mortar, attributing both actions to planned renovations and fire safety compliance rather than the cyberattack. It also noted that the replacement of analogue surveillance cameras with digital ones had been recommended by police in 2024 and had been accelerated after the Louvre heist of October 2025. Italian authorities continued their investigation into the attempted extortion and unauthorised computer access. The Uffizi denied nearly all of the claims made by Corriere della Sera regarding data exfiltration, control of the photographic server, and the ransom demand accompanied by a threat to auction data. Despite the denial, the incident underscored a broader pattern of cyberattacks targeting European cultural institutions, as illustrated by earlier ransomware events at the British Library, Gallery Systems, the Metropolitan Opera, and Hackney Museum. The Uffizi case demonstrated that administrative systems of a world‑class museum can be penetrated through a small entry point and that attackers can move laterally across interconnected historic sites. The public narrative after the attack was marked by disagreement over what actually happened, creating a fog of conflicting claims that could be exploited by future adversaries. No further details about ransom payment or data loss were provided in the source material.