by Tova Osofsky
Posted on January 10, 2023
Want to interview Tova?Contact
No industry is too rarified, respected or above-the-fray to be targeted by cybercriminals. Even cultural and fine art institutions – typically nonprofit organizations on tight budgets and almost always short on funds – have been the target of cyberattack.
One cultural institution that was recently victimized by a hacker attack is perhaps the premier performing arts companies in America and definitely the largest – The Metropolitan Opera in New York.
The attack on the opera demonstrates the kind of grave damage that can plague a performing arts company as a result of a cyberattack.
Like other organizations in the performing arts, the Metropolitan Opera has been struggling to recover from the financial hit that came with pandemic-related closures and regulations. Ticket sales were still 75% lower than pre-pandemic levels earlier this year. With COVID restrictions gone and people feeling more comfortable going out again, the opera company was looking forward to a strong holiday season, the period when attendance rates are most robust and the company can regain financial ground. This time of year, the Metropolitan Opera can count on daily sales revenues of $200,000.
Instead of enjoying a return to brisk sales, all ticketing operations were entirely crippled by the cyberattack. The opera’s website, box office, and call center were all impacted. No tickets could be sold or exchanged and refunds could not be processed. The shows could go on but the 3000 employees could not be paid, nor could the star singers, musicians, directors and theater professionals who were set to appear in the grandiose productions of Verdi’s Aida or The Hours, a contemporary opera.
In a desperate move to salvage the season and keep revenues coming in, the Metropolitan sold general admission tickets for $50 – a windfall for fans used to paying much more – through a temporary website quickly spun up by Lincoln Center, the performing arts center where the opera is housed. But with no way to know which seats had already been ticketed, opera-lovers who came in on those $50 tickets had to wait until almost until curtain time before ushers could direct them to still-empty seats.
There seems to have been an increase in cyberattacks targeting arts institutions. Around the same time that the Metropolitan Opera was attacked Musikverein, Vienna’s top concert hall, also fell victim to a cyberattack. Musikverein’s website was taken down by presumed malware, although their internal systems, fortunately, were not affected.
Additional arts organizations have been impacted by an attack on WordFly, a company that provides digital marketing services including email and SMS marketing to organizations in the arts / sport / entertainment / culture worlds. WordFly was hit with a ransomware attack that shut them down for weeks, and personal data including names and email addresses of some of their clients’ clients had been exfiltrated. The thieves claim to have deleted any exfiltrated data – but there’s no way to determine the truth of that claim.
While the Metropolitan Opera is a large and extremely high-profile performing arts company, cyberattacks on small organizations have also been on the rise. The availability of “ransomware-as-a-service” makes it easy for “amateurs” to get into the ransomware business and also makes it cheaper and less difficult to go after smaller organizations. While the payout from a smaller organization might not be as great in a ransomware attack, their typically weaker defenses make them easier targets for cyberthieves with limited technical skills.
Generally speaking, the cybersecurity needs and challenges of arts organizations are similar to other live entertainment providers, such as sports teams and amusement parks. There are websites and apps to protect, venues to manage, large numbers of employees who may be working remotely and third-party vendors who may be accessing systems via unmanaged devices.
Arts organizations – unlike for-profit entertainment providers – are often restricted by limited cybersecurity budgets and, until now, may not have considered themselves to be likely targets. But as the Metropolitan Opera learned the hard way, investing in solid cybersecurity is less expensive than getting hacked.
ZTEdge was created as a comprehensive Zero Trust Secure Service Edge (SSE), especially tailored to the needs of mid-size enterprises, like fine and performing arts organizations. It enables business staff, coaches, performers, curators, and the myriad other professionals who keep these organizations running to securely access the enterprise apps that they need from wherever they are, without risk from phishing, malware and zero-day threats reaching networks and apps. Cloud-based access from unmanaged devices protects against credential theft and over-privileged access, without requiring third-party users or employees to install software on personal devices.
For all businesses today, the show must go on without costly, reputation-damaging cyberattacks. Contact us for a demo to discover how to secure your arts or entertainment organization and keep it humming along.
The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.
Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.
Cybercriminals love the multiplier effect they get from attacking law firms: Hack in, and they get firm data PLUS juicy confidential client info.