The world’s most visited museum was guarded, in part, by a password you could guess from the gift shop. Recent audits reveal that the Louvre’s surveillance backbone relied on default credentials and aging software, an open secret hiding in the glare of the Pyramid’s glass.
What sounds like a punchline is instead a case study in how technical debt and governance gaps can erode security at even the most iconic institutions.
A burglary, then a shift in tone
The reckoning accelerated after a burglary on October 19, 2025, jolted France’s cultural establishment. In the immediate aftermath, Culture Minister Rachida Dati initially insisted there was no systemic failure. Ten days later, addressing senators, her tone hardened as a series of audits came to light and the discussion turned from incident response to structural weakness.
Those audits, consulted by journalists at CheckNews and summarized by French outlet Les Numériques, described a security infrastructure whose vulnerabilities had compounded over more than a decade. The Louvre, the reports suggest, was running critical systems without support, stacking legacy components until the seams began to show.
Auditors found a patchwork beyond its sell-by date
At the core of the findings was Sathi, a Thales software suite purchased in 2003 to supervise CCTV and access control. A 2019 public procurement document noted that Sathi no longer received vendor support; Thales, for its part, told CheckNews there was no maintenance contract and the museum had not contacted the company about the issue. One archival document indicated Sathi had run on Windows Server 2003—an operating system Microsoft stopped supporting in 2015.
The problem ran deeper than a single product. According to the documents, eight software packages tied to critical surveillance functions had aged out of updates. Windows 2000 and Windows XP machines persisted in the ecosystem. Technical complexity accreted over years, with separate solutions governing digital video, intrusion detection, badges, and proximity sensors—each with its own update cadence and failure modes.
“An attacker gaining control [of the network] would be able to facilitate damage or even thefts of works,” the French National Cybersecurity Agency (ANSSI) warned in a restricted 26-page report after a 2014 test of the museum’s safety network.
In that 2014 exercise, ANSSI experts were able to move from the office IT network into the dedicated safety network that connects the most sensitive equipment—access control, alarms, and video surveillance—then compromise CCTV, and even alter badge permissions by manipulating a database. It was a blueprint, not only of exposed systems, but of insufficient segmentation and oversight.
Passwords hiding in plain sight
Perhaps the most arresting detail was also the simplest: weak or default passwords guarding critical components. As relayed by CheckNews, ANSSI reported that typing “LOUVRE” was sufficient to access a server managing video surveillance. “THALES” worked for a related software credential.
Security professionals call this the original sin of system administration. Default credentials are meant to be changed on day one. When they are not—especially on systems tied to physical protection—they create a single point of catastrophic failure, regardless of how many cameras watch the galleries.
Warnings unheeded, urgency renewed
A second, broader review by the National Institute of Advanced Studies in Security and Justice (INHESJ) stretched into 2017 and echoed those concerns, extending them beyond technology to management and training. The report, confidential but described in French press accounts, was blunt about the stakes.
“Major shortcomings were observed in the overall system,” the INHESJ assessment concluded, adding that while the museum had been “relatively spared” so far, it could no longer ignore the possibility of an incident with “dramatic consequences.”
Another section underscored the everyday fragility of old infrastructure:
“The technologies are aging and experience regular technical malfunctions… Controls and maintenance are carried out only partially.”
Earlier this year, the Paris police prefecture initiated a new audit focused on the museum’s security control posts. “The IT tool needed to be truly modernized,” Commissioner Vincent Annereau told senators on October 29, 2025. “What I can attest to is that the Louvre’s leadership was fully aware of the need for a fresh look at the overall security apparatus.”
According to the reporting, the Louvre, the police prefecture, and the Culture Ministry declined to comment on the specifics of the audits’ findings.
Why this matters far beyond Paris
It is tempting to file this episode under Parisian irony: a museum synonymous with the Mona Lisa undone by a password anyone could guess. But the story is really about what happens when physical security meets information security and neither is funded, staffed, or governed to keep up with the other.
Museums, hospitals, utilities, and transit agencies all operate mixed environments where legacy systems—industrial controls, cameras, badge readers—must talk to modern networks. These operational technologies seldom age gracefully. When maintenance contracts lapse and operating systems outlive their patches, risk doesn’t just accumulate; it compounds. Every new camera or sensor added to a brittle core becomes another path to failure.
Budget pressures and procurement cycles make the problem worse. Multi-year capital plans privilege big installs and underrate lifecycle costs. Responsibility toggles between facilities, IT, security, and vendors. Without a clear owner, something as basic as changing a default password can fall through the cracks for years.
What a safer future looks like
The Louvre’s reckoning offers a roadmap for institutions everywhere. The specifics will vary, but the principles are durable:
- Own the inventory. Establish a living map of every device, system, version, and dependency tied to safety and surveillance.
- Segment like lives depend on it. Separate office IT from safety networks, and carve safety into zones so a compromise doesn’t cascade.
- Kill the defaults. Enforce strong, unique credentials and multi-factor authentication on administrative interfaces, and rotate credentials on schedule.
- Modernize with discipline. Replace unsupported systems, consolidate overlapping tools, and tie upgrades to vendor support lifecycles.
- Contract for resilience. Bake maintenance, patching, and response obligations into supplier agreements, with clear lines of accountability.
- Drill and audit. Test incident response across physical and cyber teams, and invite independent auditors to try to break your defenses before criminals do.
None of these steps are glamorous, and none will ever draw a crowd like the Venus de Milo. But they are the quiet machinery of trust, the systems that let the public marvel at art without worrying about the scaffolding behind it.
