Cyber Incident Victim: National Gallery of Canada

On April 23, 2023, the National Gallery of Canada discovered it was the victim of a ransomware attack. The institution, one of the largest art museums in North America by exhibition space, immediately initiated its response protocols. The primary action taken was to shut down its entire IT system to contain the threat and prevent further spread. The Gallery worked to isolate the specific networks that were affected by the intrusion, effectively segmenting compromised areas from those that remained clean. This swift action was aimed at protecting the core operations of the museum and safeguarding any sensitive or personal information stored within its systems.

Following the initial containment, the Gallery engaged a cybersecurity firm to conduct a comprehensive forensic investigation. The purpose of this investigation was to determine the scope of the attack, identify the point of entry, and understand the full extent of the impact on its digital infrastructure. Concurrently, the Canadian Centre for Cyber Security became involved in the recovery effort, providing additional expertise and support to the national institution. The interim Director and CEO, Angela Cassie, stated that the organization took the incident very seriously and that its core focus was on protecting sensitive information and ensuring the safe operation of the Gallery.

Despite the significant IT disruption, the physical museum in Ottawa remained open to the public. This was possible because the attack primarily affected internal IT systems and back-end operations rather than the public-facing systems controlling physical access or gallery displays. However, the internal operational impact was substantial. Many employees were required to work remotely as the IT team and external experts worked to rebuild servers and restore system access gradually. This process was described as slow and methodical, ensuring that systems were cleaned and secured before being brought back online to prevent re-infection.

The Gallery confirmed that no customer or member data was stolen during the attack. In a communication to its members, the institution elaborated that its payment systems were not affected and that it does not store full credit or debit card numbers, which limited the potential financial risk to its patrons. However, the organization did acknowledge that some operational data was lost as a direct result of the ransomware encryption. This loss of data impacted internal administrative functions and workflows.

The operational consequences of the attack created significant inconvenience and frustration for staff, the Gallery's Foundation, and some partners. Membership services were notably disrupted. For a period of ten days following the incident, the Gallery's ability to process membership renewals and respond to member questions and comments was severely hampered. In an email to its members, the Gallery apologized for these delays and implemented measures to maintain goodwill. All memberships that expired in April were honored until the IT issues were resolved, and any promotional offers were similarly extended to ensure members did not lose benefits due to the attack.

No ransomware group claimed responsibility for the attack on the National Gallery of Canada. The absence of a public claim meant there was no public ransom demand or negotiation details revealed. The recovery process involved a complete rebuild of affected servers rather than a restoration from backups, suggesting that backups may have been compromised or were not sufficient for a full recovery, or that the rebuild was a preferred method to ensure the elimination of any malicious code. The forensic investigation continued alongside the recovery efforts to ensure a full understanding of the event.

The incident at the National Gallery of Canada is part of a broader trend targeting cultural and arts organizations. These institutions are often viewed as attractive targets by ransomware actors due to the perception that they possess valuable customer data and may be more likely to pay a ransom to ensure they can remain open and operational. This attack shares similarities with other high-profile incidents in the sector. In December of the previous year, The Metropolitan Opera in New York was hit by a ransomware attack during its critical Christmas season, a period during which it handles approximately $200,000 in daily sales. Furthermore, a July 2022 ransomware attack on WordFly, a technology company providing digital marketing services to cultural institutions, had a cascading effect. That incident damaged email and text messaging services for a wide array of major organizations, including the Smithsonian, the Toronto Symphony Orchestra, Canada Stage, the Sydney Dance Company in Australia, the Royal Shakespeare Company, and the U.K.’s Old Vic Theatre, demonstrating the sector's vulnerability to supply-chain attacks.

The National Gallery's response was characterized by a commitment to transparency with its stakeholders while prioritizing the security of its systems. The involvement of both a private cybersecurity firm and a national government cyber authority highlighted the serious approach taken to manage the incident. The recovery was a protracted effort, spanning at least two weeks from the initial detection date, with systems being restored in a controlled and phased manner. The primary impacts were internal, affecting staff productivity and administrative functions, while the public's ability to visit the gallery and view its collections was maintained throughout the ordeal. The loss of operational data represented a tangible cost to the institution, requiring efforts to reconstruct lost information and restore normal administrative workflows once systems were fully recovered.