The Louvre Museum in Paris, victim of an audacious burglary involving a furniture lift last month, has been struggling for over a decade to upgrade outdated software, including that controlling its video surveillance systems, according to a French newspaper report.
Thieves used a furniture lift to break in through a second-floor window on October 19, stealing eight items of jewelry. Alarm systems on the window and on the display case holding the jewelry functioned as expected, according to the French Ministry of Culture, and police were on the scene within three minutes. The raid prompted a top-to-bottom review of security at the museum.
The Inspectorate General of Cultural Affaires (IGAC) submitted its first conclusions last week, prompting the Minster of Culture to recommend new governance rules and security policies, the installation of additional security cameras around the building perimeter, and an urgent update of all security protocols and procedures by year-end. The details of the report remain confidential.
IT problems date back over a decade
But numerous IT problems related to security systems were already evident as long ago as 2014 and 2017, according to earlier confidential audits of security systems seen by French newspaper Libération.
The museum was still running Windows 2000 on its office automation network when the French National Agency for the Security of Information Systems (ANSSI) conducted its 2014 audit, the newspaper reported — although Microsoft had stopped providing security updates for that version of its operating system three years earlier, in July 2010. The audit report also highlighted a video surveillance server with the password “LOUVRE” and a video surveillance application made by Thales with the password “THALES,” the newspaper said.
ANSSI naturally recommended using more complex passwords, migrating software to versions supported by the developers, and patching vulnerabilities. Libération said the museum declined to respond when asked if it had followed these recommendations.
Clearly, though, some of them were not followed.
A second audit took place in 2017, conducted this time by the French National Institute of Advanced Studies in Security and Justice (INHESJ). “Certain workstations have obsolete operating systems (Windows 2000 and Windows XP) which no longer guarantee effective security (no antivirus updates, no passwords or session lock…),” Libération quoted the audit as saying. Microsoft ended extended support for Windows XP in 2014.
No updates for eight security applications
The newspaper also examined calls for tender and other public procurement documents issued by the musem in the years since the audits.
Twenty years of technical debt weighed heavily on security at the Louvre, as it steadily accumulated systems for analogue video surveillance, digital video surveillance, intrusion detection, and access control, some of them with dedicated servers or proprietary applications. Some of these became obsolete over time and needed updating or replacing
Thales supplied one such system, Sathi, to the Louvre in 2003, but it was no longer supporting it by February 2019, according to public procurement documents seen by the newspaper. As recently as the middle of this year, eight Sathi publications appeared on a museum list of “software that cannot be updated”.
The Louvre’s Windows problems continued at least through 2021, when another document noted it was using Sathi on a machine still running Microsoft Windows Server 2003, which reached the end of extended support in 2015.
There’s no indication that the Louvre’s longstanding software problems were implicated in the recent burglary, but IGAC’s report last week did highlight a number of security failures, including insufficient surveillance systems and an underestimate of the risks of intrusion stretching back 20 years.