Even Botticelli’s Venus needs the right antivirus and trained people to protect her. The truth from the Uffizi director
Florence, between late January and early February 2026. While tourists from all over the world queue to admire the Primavera or Leonardo’s Annunciation, something invisible and dangerous is happening in the digital bowels of one of Italy’s most famous museums. Through software for managing low-resolution images, accessible from the institutional website, a group of cybercriminals gained entry by breaching the network of the Uffizi Galleries and infiltrating the administrative systems of the entire Florentine museum complex.
But it wasn’t a sudden blitz.
According to some reconstructions, the attack could have even deeper roots: its traces reportedly date back to the summer of 2025, with a months-long preparatory phase during which the attackers moved silently through the infrastructures of the Uffizi, Pitti Palace, and Boboli Gardens. It is the classic technique of professional cybercriminals: enter slowly, stay in the shadows, gather everything possible, and only strike at the end.
The Corriere revelations: the worst-case scenario
For weeks, the matter had remained confined to investigative circles, with the museum downplaying it as a simple service disruption to administrative systems. Then, in early April, Corriere della Sera revealed a far more disturbing scenario.
According to the newspaper, the hacker group allegedly emptied the servers of the entire Museum Complex: not only was the entire photographic cabinet archive reportedly stolen, but the criminals allegedly managed to enter the technical office systems, getting their hands on access codes, passwords, alarm systems, internal maps, entrances, exits, and service routes, as well as the location of surveillance cameras and sensors.
The picture that emerges is like a thriller: with that information, a gang of thieves could move undisturbed among the masterpieces, knowing exactly where to go, what to avoid, and what to deactivate. A manual for robbing Italy’s most visited museum, delivered on a digital silver platter.
The Public Prosecutor’s Office and the Postal Police are now investigating the incident, supported by experts from the National Cybersecurity Agency, while contact with the blackmailers seems to have broken off several weeks ago, leaving the museum in a state of anticipation and high alert.
The ransom on the director’s phone
A request for 300,000 euros in cryptocurrency, to be paid within 72 hours, arrived directly on the personal phone of director Simone Verde in early February.
Not an institutional email, not a formal communication: a private and intimidating message delivered to the personal device of the museum’s leader. A gesture that says a lot about the sophistication of the attackers, the depth of their infiltration, and their intent to apply direct psychological pressure.
From a technical standpoint, some specialized sources have linked the attack to the latest generation BabLock ransomware, also known as Rorschach, characterized by high encryption speed and advanced evasion techniques capable of bypassing many traditional detection systems. The operational mode corresponds to that of an APT attack — Advanced Persistent Threat — a highly sophisticated cyber intrusion: hackers enter through a secondary weak point, remain hidden in the network for a long time without being noticed, move from one system to another, and gather data bit by bit. It is a slow and silent attack, where the one with the most patience wins.
The museum’s response: “No theft, no damage”
The Uffizi management is not standing by and is responding point by point. In a long and stern note, the Galleries deny the Corriere’s alarm: no theft of sensitive information, photographic archive recovered via backup, and security work scheduled well before the attack.
On the most delicate chapter — maps and security codes — the museum’s reply is clear: no security system passwords were stolen because those systems operate on an internal closed circuit; there is no evidence of possession of security maps; and the location of cameras is by definition visible to any visitor who looks up.
Regarding the alleged theft of photographic backups, the Uffizi clarify that the server was not stolen and that the backup performed is complete, with the entire archive fully in the museum’s possession.
The fact remains that the Museum has now rushed the Medici Grand Ducal Treasure to the Bank of Italy’s Florentine vault, walled up some doors, and asked staff for maximum confidentiality. It seems like a trench-warfare situation, even if the Museum justifies these actions with the start of long-planned construction sites and various ongoing works.
Beyond the bickering between Corriere della Sera and the Museum, the truth, as often happens, may lie somewhere in the middle. The decisive point is the distinction between an attack on work systems and a confirmed compromise of the physical security perimeter: two different levels. The first involves operational continuity, backups, archives, emails, and response capacity. The second would involve alarms, sensors, service routes, and the immediate protection of the artworks.
A national emergency
The matter has reached Parliament: the PD in the Chamber has submitted an inquiry asking Culture Minister Alessandro Giuli to clarify urgently how much the MIC spends on cybersecurity to protect cultural institutions.
Because today, a cyberattack on cultural systems can translate into a form of erosion of national identity, all the more serious in an era where the knowledge and enjoyment of heritage increasingly pass through digital channels.
The human factor: the vulnerability no firewall can fix
As mentioned, the entry point for the cybercriminals was an old piece of software used every day by hundreds of thousands of people worldwide to download photos of masterpieces from the enormous artistic heritage:
“It was one of the few that had not been updated by our IT manager,” say sources inside the museum, according to the publication “Quotidiano Arte”.
A point that highlights a now well-established concept: cybersecurity is, first and foremost, a matter of culture and shared responsibility, and often technology alone is not enough.
Training staff therefore becomes an institutional duty, as much as restoring a fresco or cataloging a collection. Criminals almost always strike out of opportunity: where they find exposed systems, outdated programs, weak identities, and insufficient monitoring. And often those weaknesses are not in the servers, but in the people who use them: an employee clicking on a suspicious email, a shared password, a software update ignored for too long.
In a context of increasingly digitalized institutions, obsolete technologies, inadequate infrastructure, and limited budgets prevent many cultural entities from implementing structured cybersecurity strategies.
But staff training is the first, indispensable line of defense: knowing how to recognize a phishing attempt, understanding why software updates must be installed, and grasping the value of the information handled every day. No technological investment, no matter how multi-million, can compensate for the lack of a security culture spread throughout every level of the organization.
