A damning new report from the Public Accounts Committee warns that the UK’s national museums and galleries remain dangerously exposed to cyber threats, with Whitehall still stuck in a reactive mode years after the British Library ransomware attack.
The UK’s cultural institutions, from the Natural History Museum to the National Gallery, are being left wide open to cyber-attacks and physical theft, according to a report published yesterday by the Public Accounts Committee (PAC). The findings make for uncomfortable reading: the government has no clear strategy, no concrete actions to point to, and is over-relying on the autonomy of institutions that often lack the in-house expertise to protect themselves.
The PAC’s warning comes nearly three years after the British Library was hit by a crippling ransomware attack that knocked out services for months and exposed sensitive data. Despite that high-profile wake-up call, the Department for Culture, Media and Sport (DCMS) was unable to provide the committee with specific examples of concrete steps taken across the sector in response.
Sir Geoffrey Clifton-Brown, Chair of the Public Accounts Committee, put it bluntly: “Cyber-attacks, the theft of items from collections and a fall in the number of visitors are just some of the issues museums and galleries are fighting to overcome. The lack of centralised support is leaving them vulnerable.”
A Watershed Moment The Government Has Wasted
Cybersecurity experts say the report confirms what the industry has been flagging for some time.
Graeme Stewart, Head of Public Sector at Check Point Software, describes the British Library incident as a turning point that the sector has yet to properly act on. “The 2023 attack on the British Library was a watershed moment for the sector,” he says. “It demonstrated that a ransomware incident can cripple operations, compromise data, and cause months of disruption, all while threatening the trust these institutions depend on. That the government has yet to translate the lessons of that incident into concrete, sector-wide protective action is deeply concerning.”
Stewart points to a specific tension that makes museums and galleries harder to defend than a typical organisation. “They combine the digital vulnerabilities of any modern organisation, including network-connected systems, online ticketing, and third-party suppliers, with unique physical security considerations and, in many cases, constrained budgets and limited in-house cyber expertise.”
His prescription mirrors what the PAC itself is calling for: DCMS taking a genuine coordinating role, facilitating shared threat intelligence, establishing baseline cybersecurity standards, and ensuring that digital record-keeping of collections is both implemented and properly secured.
“The sector cannot afford to wait for the next incident to act,” Stewart adds. “These institutions are the cultural lifeblood of this country and the long-term damage to the nation’s heritage, reputation and public trust that could result from continued inaction would be far harder to recover from than any single attack.”
A Culture Problem Not Just A Budget Problem
Muhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at Huntress, takes a harder line and places some of the responsibility squarely on the institutions themselves.
“The evidence has been sitting in plain sight for years,” he says. “UK’s iconic cultural institutions suffered serious security incidents and the government’s response was to facilitate lessons-learned sharing. That’s not a security strategy. That’s hoping the next institution pays attention.”
Patel argues that framing the problem purely as a funding issue lets institutions off the hook. “The cultural sector has a security culture problem as much as a resource problem, and conflating the two lets institutions off the hook for the controls that are within their reach regardless of budget.”
He also pushes back on the idea that this is a museums-specific issue. “The PAC report is specifically about museums and galleries, but the structural problem it describes is not unique to them. Public sector bodies operating with significant autonomy, legacy infrastructure, constrained budgets, and limited in-house security expertise are a common profile across UK public institutions.”
More from Cybersecurity
- Utilities Face Mounting Cyber Pressure From Ageing Systems And Unpatched Infrastructure
- Hackers Used A Small Business’s Own Server To Spam 9 Million People With A Fake Boots Survey
- Who Is Responsible When Children Use VPNs To Access Banned Platforms?
- SpyCloud Report Finds Phishing Attacks Surge As Employee Data Is Exposed At 86% Of Fortune 100 Companies
- Meta Confirmed About 20,000 Instagram Accounts May Have Been Hacked
- FIFA World Cup 2026: Why Have Big Sporting Events Become A Target For Cyber Criminals?
- The AI That Embarrassed Microsoft’s Security Team Is About To Be Available To Everyone
- How AI Agent Adoption Is Creating A New Cybersecurity Challenge
A Sector Under Financial Pressure
The cybersecurity vulnerabilities sit against a backdrop of significant financial strain. The PAC’s report notes that DCMS provided 15 government-sponsored museums and galleries with £484 million in grant-in-aid funding in 2024-25, a real-terms reduction of 16% compared to pandemic-era levels. Visitor numbers have yet to return to pre-pandemic highs, while energy and staffing costs have risen sharply.
That said, institutions have made genuine strides in self-generated income, which totalled £563 million in 2024-25, a 53% real-terms increase on 2021-22. But those revenue streams depend on operational continuity and public trust: exactly what a serious cyber incident would put at risk.
The PAC has asked DCMS to set out the concrete actions it and individual museums have taken, and are taking, to address both cyber and physical security threats. It has also called for clear metrics to assess performance, and flagged concerns about high trustee vacancy rates and significant churn in senior financial leadership across the sector.
What Needs To Happen Next
Both experts agree that reactive incident-sharing is no substitute for genuine prevention. Stewart wants DCMS to take the lead on coordinating threat intelligence and setting minimum security standards across the sector. Patel wants a shift in security culture that doesn’t wait on central government.
“The PAC is right that the current approach of sharing lessons after incidents occur is not a substitute for preventing them,” Patel says.
For now, the gap between the scale of the threat and the maturity of the response remains wide and the institutions holding some of Britain’s most irreplaceable assets are the ones most exposed.
