We Are Not Entertained: Performing Arts are Under Cyberattack

Author Avatar


Posted on January 10, 2023

Want to interview Tova?


No industry is too rarified, respected or above-the-fray to be targeted by cybercriminals. Even cultural and fine art institutions – typically nonprofit organizations on tight budgets and almost always short on funds – have been the target of cyberattack.
One cultural institution that was recently victimized by a hacker attack is perhaps the premier performing arts companies in America and definitely the largest – The Metropolitan Opera in New York.

Attack on the Metropolitan Opera

The attack on the opera demonstrates the kind of grave damage that can plague a performing arts company as a result of a cyberattack.

Like other organizations in the performing arts, the Metropolitan Opera has been struggling to recover from the financial hit that came with pandemic-related closures and regulations. Ticket sales were still 75% lower than pre-pandemic levels earlier this year. With COVID restrictions gone and people feeling more comfortable going out again, the opera company was looking forward to a strong holiday season, the period when attendance rates are most robust and the company can regain financial ground. This time of year, the Metropolitan Opera can count on daily sales revenues of $200,000.

Instead of enjoying a return to brisk sales, all ticketing operations were entirely crippled by the cyberattack. The opera’s website, box office, and call center were all impacted. No tickets could be sold or exchanged and refunds could not be processed. The shows could go on but the 3000 employees could not be paid, nor could the star singers, musicians, directors and theater professionals who were set to appear in the grandiose productions of Verdi’s Aida or The Hours, a contemporary opera.

In a desperate move to salvage the season and keep revenues coming in, the Metropolitan sold general admission tickets for $50 – a windfall for fans used to paying much more – through a temporary website quickly spun up by Lincoln Center, the performing arts center where the opera is housed. But with no way to know which seats had already been ticketed, opera-lovers who came in on those $50 tickets had to wait until almost until curtain time before ushers could direct them to still-empty seats.

For Attacks on the Arts, Size Doesn’t Matter

There seems to have been an increase in cyberattacks targeting arts institutions. Around the same time that the Metropolitan Opera was attacked Musikverein, Vienna’s top concert hall, also fell victim to a cyberattack. Musikverein’s website was taken down by presumed malware, although their internal systems, fortunately, were not affected.

Additional arts organizations have been impacted by an attack on WordFly, a company that provides digital marketing services including email and SMS marketing to organizations in the arts / sport / entertainment / culture worlds. WordFly was hit with a ransomware attack that shut them down for weeks, and personal data including names and email addresses of some of their clients’ clients had been exfiltrated. The thieves claim to have deleted any exfiltrated data – but there’s no way to determine the truth of that claim.

While the Metropolitan Opera is a large and extremely high-profile performing arts company, cyberattacks on small organizations have also been on the rise. The availability of “ransomware-as-a-service” makes it easy for “amateurs” to get into the ransomware business and also makes it cheaper and less difficult to go after smaller organizations. While the payout from a smaller organization might not be as great in a ransomware attack, their typically weaker defenses make them easier targets for cyberthieves with limited technical skills.

Cybersecurity for the Entertainment Sector

Generally speaking, the cybersecurity needs and challenges of arts organizations are similar to other live entertainment providers, such as sports teams and amusement parks. There are websites and apps to protect, venues to manage, large numbers of employees who may be working remotely and third-party vendors who may be accessing systems via unmanaged devices.

Arts organizations – unlike for-profit entertainment providers – are often restricted by limited cybersecurity budgets and, until now, may not have considered themselves to be likely targets. But as the Metropolitan Opera learned the hard way, investing in solid cybersecurity is less expensive than getting hacked.

ZTEdge was created as a comprehensive Zero Trust Secure Service Edge (SSE), especially tailored to the needs of mid-size enterprises, like fine and performing arts organizations. It enables business staff, coaches, performers, curators, and the myriad other professionals who keep these organizations running to securely access the enterprise apps that they need from wherever they are, without risk from phishing, malware and zero-day threats reaching networks and apps. Cloud-based access from unmanaged devices protects against credential theft and over-privileged access, without requiring third-party users or employees to install software on personal devices.

For all businesses today, the show must go on without costly, reputation-damaging cyberattacks. Contact us for a demo to discover how to secure your arts or entertainment organization and keep it humming along.

Share this on:

Author Avatar

About Tova Osofsky

Tova Osofsky, Ericom Director of Content Marketing, has extensive experience in marketing strategy, content marketing and product marketing for technology companies in areas including cybersecurity, cloud computing, fintech, compliance solutions and telecom, as well as for consumer product companies. She previously held marketing positions at Clicktale, GreenRoad and Kraft Foods, and served as an independent consultant to tens of technology startups.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.