A shocking post-heist report has revealed that the Louvre’s cybersecurity was so lax, it would make a basic office email account seem like Fort Knox.
You’d think that a museum safeguarding some of humanity’s most priceless artefacts would operate under tight layers of security. Yet, a shocking post-heist report has revealed that the Louvre’s cybersecurity was so lax, it would make a basic office email account seem like Fort Knox. Confidential documents obtained by the French daily Libération revealed that the password for the Louvre’s video surveillance system was unbelievably “LOUVRE.”
Investigators found that access to another crucial piece of security software was protected by the password “THALES,” which, ironically, happens to be the name of the software’s publisher, the French technology firm Thales.
Although it remains unclear whether these glaring weaknesses directly contributed to the brazen October 18 heist—where $102 million (£76 million) worth of crown jewels vanished in broad daylight the revelations have turned the world’s most famous museum into a global punchline for cybersecurity failures.
These revelations stem from a decade-long series of cybersecurity audits conducted by France’s National Cybersecurity Agency (ANSSI). As far back as 2014, ANSSI had warned the museum that an attacker gaining control of its IT systems could “facilitate damage or even theft of artworks.” Yet, even then, the review found the museum’s digital defences to be “trivial.”
Javvad Malik, cybersecurity advisor at KnowBe4, told Daily Mail: “The museum’s video surveillance systems were protected by shockingly simplistic passwords.”
By using passwords identical to the museum’s own name and the software provider, Malik noted, “the Louvre opened the door to even the most basic hacking attempts.”
He added, “Whether this weakness played a role in the heist is still under review. But the lesson is clear. When systems safeguarding priceless cultural treasures rely on guessable credentials, it’s not a policy gap – it is an invitation, serving as an indicator that the overall culture of security may be weak.”
The Louvre was also discovered to be running an outdated version of Windows—essentially the cybersecurity equivalent of leaving one’s front door wide open. This made the museum highly vulnerable to known exploits, allowing hackers easy access to its internal systems.
Major security issues
While it’s uncertain whether the museum ever patched these vulnerabilities, subsequent reports—some as recent as 2025—continue to flag “major security issues.”
In 2017, ANSSI had again warned that while the Louvre had been “relatively spared,” it “can no longer ignore the potential threat of an attack whose consequences could prove dramatic.”
Meanwhile, the heist itself—carried out in under four minutes—seems to have been less the work of criminal masterminds and more of opportunistic amateurs. The thieves reportedly used a stolen mechanical lift to reach the Galerie d’Apollon balcony, smashed open display cases, and made off with the jewels—though not before dropping Empress Eugenie’s crown, leaving tools behind, and failing to burn the lift as planned.
Paris prosecutor Laure Beccuau downplayed the sophistication of the suspects, telling Franceinfo radio: “This is not quite everyday delinquency… but it is a type of delinquency that we do not generally associate with the upper echelons of organised crime.”
(This article has been curated with the help of AI)