When we talk about cybersecurity as it applies to cultural heritage, we tend to picture almost academic scenarios. Yet, between late January and early February 2026, the Uffizi Galleries in Florence found themselves at the centre of one of the most complex incidents ever recorded in the Italian museum sector. A case that starkly demonstrated just how increasingly blurred the line between digital security and physical security has become.
What had seemed for days to be a simple malfunction in the administrative systems turned out, in reality, to be a slow, methodical and highly skilled infiltration operation.
An initial breach originating from afar
The evidence gathered by investigators traces the start of the operation back to August 2025. A timeframe that immediately highlights the sophistication of the attack: no impulsive action, but a planned persistence campaign.
The entry point? Outdated software, left behind in the update process and used to manage the flow of low-resolution images from the institutional website. A component considered ‘non-priority’ in the modernisation strategy, and for that very reason perfect as a Trojan horse. Through that breach, the attackers gained initial access that was stealthy yet stable.
Lateral movement: the most dangerous phase
Once inside, the group began the most delicate phase: lateral movement within the network connecting the Uffizi, Palazzo Pitti and the Boboli Gardens. Everything was carried out using a low-and-slow approach, avoiding any visible anomalies in the logs or monitoring systems.
No sudden spikes, no conspicuous behaviour: just a steady stream of packets copied and transferred patiently, over months. By the time the attack finally erupted, paralysing the administrative servers, the attackers had already taken away far more than initially imagined.
What was stolen: far more than just data
The data breach was not limited to stealing digital documents. It affected three extremely sensitive areas:
- Digital photographic archive: decades of digitisation, one of the museum’s most precious historical records. Part of this heritage may never be recoverable
- Technical information on physical security: internal floor plans, patrol routes, sensor maps, camera positions, even operational procedures. In effect, a manual for moving unnoticed within the museum complex
- Credentials and alarm deactivation codes: perhaps the most worrying element, as it transforms a cyberattack into a concrete threat to the artworks.
This is the truly critical aspect of the Uffizi case: the digital breach has thrown open the door to a potential physical breach.
The extortion phase: direct and personal blackmail
The ransom demand arrived in an unusual and very un-‘technical’ manner: a message on the director’s personal smartphone. The criminals threatened to sell the stolen information on the dark web, effectively putting the entire security system of the museum complex at risk.
After an initial contact, communications ceased. A decision that further increases uncertainty regarding the actual destination of the data.
At the time of writing on 3 April 2026, our Cyber Threat Intelligence team has found that there is no public evidence of the data being circulated on the dark web, but the risk of targeted use or private sale remains high.
When digital systems fail, ‘analogue patching’ comes into play
With the electronic systems compromised, management was forced to resort to drastic physical countermeasures, almost reminiscent of a bygone era, but necessary to re-establish a minimum level of security.
Some doors were literally bricked up. Entire areas of Palazzo Pitti were closed to the public. The most precious items from the Grand Ducal Treasury were urgently moved to the armoured vaults of the Bank of Italy. A complex, costly and gruelling operation, but essential to contain the risk.
The final picture: an incident that changes the rules of the game
Today, the investigation is in the hands of the Public Prosecutor’s Office and the Postal Police, with the support of the National Cybersecurity Agency. For an institution that generates over €60 million a year, the reputational and economic impact is significant.
But the real point is another: the Uffizi case definitively demonstrates that cybersecurity and physical protection are no longer two parallel worlds. They are a single ecosystem. When one of the two components fails, the other immediately becomes vulnerable.
And this is precisely why a cyberattack, in 2026, could turn into a direct threat to the cultural heritage of an entire country.
