The Metropolitan Opera Cyberattack Highlights Vulnerability of Cultural Institutions

On December 7, The New York Times reported on a cyberattack impacting The Metropolitan Opera in New York. The attack affected the opera’s network systems, including its website, box office and call center. The Met’s website was restored on December 15.

The perpetrators behind the attack have yet to be identified, but The New York Times noted the opera’s vocal support of Ukraine during the ongoing Russia-Ukraine War.

The opera is still putting on shows, and the Lincoln Center for the Performing Arts stepped in to handle ticket sales while the Met recovered from the attack. While the full extent of the damage is yet to be determined, the disruption of ticket sales impacted revenue.

The Met’s general manager Peter Gelb told The New York Times that the opera typically takes in approximately $200,000 in ticket sales per day during this season. The cyberattack impacted the opera’s ability to sell tickets, and during the interim, tickets were sold for $50 through the Lincoln Center for the Performing Arts site.

The cyberattack on the Met is not the first on a cultural institution. In 2019, the Asian Art Museum in San Francisco suffered a ransomware attack. In 2020, hackers accessed the personal information of donors from hundreds of different cultural institutions and charities.

Why Target Non-Profits?

Cultural institutions, like the Met, performing arts centers and museums, are often non-profit organizations. What is the value in targeting these organizations for cyberattacks?

“Hackers do not discriminate between Fortune 500 companies or not-for-profit cultural institutions like the Met,” Tommy Johnson, a security engineer at cyber insurance provider Coalition, tells InformationWeek.

Cultural institutions still operate as businesses. They generate revenue from ticket sales, and they often safeguard the personal information of many wealthy donors.

In some cases, a cultural institution may not even be the primary target of a cyberattack, simply collateral damage. “Cultural institutions are more often than not a detour for adversaries. Having valid credentials from these organizations opens the ‘keys to the kingdom’ and can be a means to an end for a higher-stakes target,” Tyler Farrar, CISO of cybersecurity company Exabeam, contends.

Whatever the motive and means, the cyberattack on the Met is a warning to other cultural institutions. Anyone is a potential target. “I am always cautioning clients that everyone is a target, regardless of their size and industry. It should not take an incident such as this to make other cultural institutions realize they are at high risk,” says Richard Sheinis, partner and head of data privacy and cybersecurity at full-service law firm Hall Booth Smith.

The non-profit sector can also be an attractive target because these organizations do not always have the budget, resources, and knowledge to implement a robust cybersecurity strategy. Plus, many cultural institutions are still struggling to recover from the impact of the COVID-19 pandemic.

“Given so many of these cultural event spaces were shut down during the pandemic, there may be a lot of technical debt and staffing shortages to catch up on as they bring their operations back to pre-pandemic levels,” Melissa Bischoping, director, endpoint security research specialist at cybersecurity and systems management company Tanium, points out.

Threat actors are capitalizing on vulnerabilities in the non-profit sector. The 2022 Cyber Claims Report from cyber insurance provider Coalition found that claims frequency for nonprofit policy holders is up 57%.

Preparing for Cyberattacks

How can non-profits, like cultural institutions, address cybersecurity vulnerabilities and prepare for the possibility of an attack like the one the Met suffered?

Finding room in the budget at a non-profit is always challenging, but cybersecurity is a worthwhile investment.

“It is almost always cheaper to spend now than spend later after a cyberattack. Every business must realize that protecting against a cyberattack is simply part of the cost of doing business,” says Sheinis.

Bringing cybersecurity to the attention of leadership at cultural institutions is an important step toward making it a priority. “Many cultural institutions will have a board of directors, and it’s critical that company leaders at these institutions get board buy-in on cybersecurity,” says Farrar.

Investing in prevention, as well as detection and response, can help reduce the risk of cyberattacks and mitigate the impact if an attack does occur. If organizations do not have the resources to retain in-house cybersecurity talent, they can turn to third-party cybersecurity companies.

Regardless of how cybersecurity strategy is implemented, it is important that it has buy-in across all levels of an organization, from leadership on down. “Ultimately, cybersecurity is a team sport -- everyone from security vendors and customers to opera soloists and ushers plays a role in protecting a cultural institution from cyber threats,” Johnson says.

David Maynor, head of the Threat Intelligence Group at cybersecurity and IT workforce development platform Cybrary, hopes to see more awareness of cybersecurity and collaboration among cultural institutions. “Most industries have threat-sharing communities to trade insider tips on attacks and techniques. The arts and cultural community needs to follow suit. These community efforts are best led from inside the industry rather than by external entities that might place things like sales above security,” he says.

What to Read Next:

How Cyberattackers Are Cultivating New Strategies and Reconfiguring Classic Gambits

Ukraine Cybersecurity Message at BlackBerry Security Summit

Buttoning Up Cybersecurity to Avoid Fashion Retailer's Fate