Cyber Incident Victim: Gallery Systems
Date:
Dec 2023
Location:
United States of America
Summary
A ransomware attack targeted Gallery Systems, a provider of museum software solutions, causing widespread IT outages and forcing the company to take systems offline to contain the encryption of devices. The incident disrupted the online public viewing platform eMuseum, used by numerous museums and colleges to host searchable collections and exhibitions, rendering associated subdomains inaccessible. The organization, which serves over 800 institutions including prominent art museums, initiated restoration efforts using the last available backups and launched an internal investigation while notifying law enforcement. No ransomware group has claimed responsibility for the attack at this stage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 28, 2023, Gallery Systems experienced a ransomware attack that encrypted certain computer systems running its gallery and collection management software, rendering them inoperable. The company, formed in April 2022 through a merger with Artsystems and serving over 800 museums globally, promptly took affected systems offline to contain the incident and prevent further encryption of devices. This outage disrupted core services, including eMuseum—a public-facing platform museums and colleges use to host searchable online collections and exhibitions through emuseum.com subdomains. Gallery Systems notified customers of the attack via a formal letter, confirming the encryption event had halted software operations and necessitated emergency measures. The organization initiated around-the-clock recovery efforts focused on restoring software access and pledged to recover customer data using the last available backups. Internal investigations commenced to assess the breach’s scope and impact, with parallel notifications to law enforcement agencies. No ransomware group claimed responsibility for the attack as of the article’s publication, leaving the threat actors unidentified. Prominent institutions relying on Gallery Systems’ software—including New York’s Museum of Modern Art, the Metropolitan Museum of Art, the Chrysler Museum of Art, Seattle’s Museum of Pop Culture, the Barnes Foundation, Crystal Bridges Museum of American Art, and the San Francisco Museum of Modern Art—faced service interruptions due to the incident.
The cyberattack caused widespread inaccessibility of online museum collections hosted through eMuseum, with all associated subdomains remaining offline during Gallery Systems’ remediation efforts. The company prioritized system restoration and data recovery while withholding specifics about the attack vector, encryption methods, or potential data compromise beyond confirming ransomware’s role. Customers received assurances of forthcoming updates as the investigation progressed but were provided no estimated restoration timeline. Gallery Systems did not publicly disclose whether the attack affected internal corporate systems, client data integrity, or backup infrastructure, nor did it confirm the ransomware operators’ exfiltration of data. BleepingComputer’s inquiries regarding attack details and client impacts received no response from the company. The incident highlighted operational vulnerabilities in cultural institution service providers, with museums globally experiencing prolonged downtime to their digital collections during the outage. Restoration efforts continued without external claims of responsibility or disclosed negotiation attempts between Gallery Systems and the attackers.