Security at the Louvre Museum, episode 2. After the “crime of the century” in the Apollo Gallery carried out with heavy use of a circular saw, Libération reveals that the security and cyberdefense system of the world’s largest museum was as fragile as the display cases meant to protect the Crown Jewels.
The newspaper unearthed “confidential documents or those published as part of bidding processes” that lay bare the scale of the cyber fiasco.
First step: December 2014. The National Agency for the Security of Information Systems (ANSSI) carries out an initial audit of the museum’s security network, which oversees the most critical systems: access control, alarms, video surveillance. The conclusions, recorded in a 26-page report stamped “restricted distribution,” are alarming.
Once inside, the auditors show that it would be possible to compromise the video-protection system, to modify badge access rights, and even do so from outside the museum. The report also flags the presence of outdated systems still operating under Windows 2000.
ANSSI therefore recommends strengthening passwords, correcting vulnerabilities, and migrating to up-to-date systems. But what has actually been done?
2017: “Major deficiencies” persist
Three years later, a new audit by the National Institute for Security and Justice confirms that the problems remain. The confidential report titled “Security” deplores “major deficiencies” in the overall system, some of them identical to those identified in 2014.
Outdated operating systems (Windows 2000 and Windows XP) are still in service, without antivirus updates, often lacking passwords or session lock. The security technologies are described as “aging,” with regular technical malfunctions and only partial maintenance.
The document solemnly warns: while the museum “has thus far been relatively spared, it cannot ignore the potential for an attack whose consequences could prove dramatic.”
2025: eight softwares impossible to update
Recent technical documents, published as part of calls for bids between 2019 and 2025, reveal that the problem has not been solved. The Louvre’s security system has grown more complex over the years, layering IT circuitry and software to manage both analog and digital video surveillance, intrusion detection, access controls, and badges.
Among these tools is Sathi, a software package produced by Thales and purchased in 2003 to supervise video protection and access control. The problem: this system no longer receives development, having remained in use for years. In 2021, it still ran on Windows Server 2003, a platform Microsoft has abandoned since 2015.
Even more alarming, a summer 2025 procurement document lists no fewer than eight software components “unable to be updated,” all essential to the museum’s security operations: video surveillance, access controls, servers…
At the start of 2025, the Paris Police Prefecture launched an audit of the museum’s security. Vincent Annereau, who led the study, confirmed before the Senate on October 29 that the IT tool “needed to be, truly, modernized.”
One question remains: how could the world’s premier museum, guardian of priceless treasures, have allowed repeated warnings about its cyber vulnerabilities to go unaddressed for a decade?
