{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreigsep7ni4diy7adg6n7v7suatx3twqpdyxzxsg23oixm2vvgbfnlu",
"uri": "at://did:plc:kwaa23jlraot4glwkrbceaov/app.bsky.feed.post/3mp4w5y5gpbf2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreihkhcif6mjgocgvgq5cs57cazunx2dhepvbahfqnuywzomsuiaeim"
},
"mimeType": "image/jpeg",
"size": 461751
},
"description": "As MPs warn that national museums remain exposed to cyber-attacks and theft, the issue is not simply whether institutions are secure. It is whether they are being asked to carry risks that now belong to the whole public culture system.",
"path": "/uk-museums-limit-autonomy-cyber-theft-risk/",
"publishedAt": "2026-06-25T17:07:40.000Z",
"site": "https://www.artwalkway.com",
"textContent": "The Public Accounts Committee has not discovered that museums are vulnerable.\n\nMuseums already know this.\n\nWhat the committee has made visible is the gap between institutional responsibility and the structure around it. National museums and galleries are expected to protect collections, buildings, staff data, digital records, visitor access and public trust. The risks now move across all of those layers at once.\n\nThe governing model has not moved at the same speed.\n\nThe report follows the two incidents that still frame the sector’s recent anxiety. In 2023, the British Museum revealed that around 2,000 objects had been stolen, damaged or gone missing from its collections over a period of years. The same year, the British Library suffered a ransomware attack that disrupted digital services for months and exposed staff and user data.\n\nOne case centred on objects. The other on access, data and trust.\n\nTogether, they show how the museum has changed. The institution is no longer secured only through guards, stores, cases and registers. It is also held through databases, permissions, loan records, backups, insurance files, staff workflows and public digital services.\n\nThe collection is now also an administrative and technical condition.\n\nThat is where the pressure is moving.\n\nThe committee says the Department for Culture, Media and Sport has helped share lessons after recent breaches, but could not identify concrete sector-wide actions taken as a result. This is the limit of response. Lessons circulate. Conditions remain.\n\nDigital record-keeping has therefore become more than a collections-management issue. Better records do not prevent every theft. But they change the visibility of loss. They make absence harder to absorb into backlog, delay or uncertainty.\n\nCyber-resilience works in the same register. A ransomware attack against a museum or library does not only take down a website. It can interrupt research, expose personal information and weaken the systems through which an institution knows what it holds.\n\nMuch of this work is already happening inside institutions, often through overstretched collections, digital and operations teams. The issue is not absence of awareness, but the scale at which the risk now has to be held.\n\nThis is happening while the financial model is being pulled in another direction. National museums and galleries have increased self-generated income, but visitor numbers remain uneven, costs have risen and public funding has fallen in real terms since emergency pandemic support ended.\n\nThe financial model now asks museums to earn more of their own income while absorbing costs that do not generate income: cyber resilience, records infrastructure, audits, board capacity and compliance.\n\nThe demand is familiar: become more resilient, more commercial, more efficient, more open.\n\nThe risk is that resilience becomes another word for absorption.\n\nMuseums are asked to carry more complex exposure while the state preserves distance through the language of autonomy. Autonomy matters. It protects curatorial judgement, institutional independence and public trust. But autonomy cannot substitute for shared standards, cyber capacity, collection infrastructure or timely governance.\n\nThe question is not whether DCMS should run the museum.\n\nIt is whether autonomy can still carry risks that no single museum can contain.\n\nTrustee vacancies and slow appointments sharpen the problem. Boards are now expected to oversee institutions whose risks span finance, data, estates, security, reputation and public accountability. Stewardship is being stretched by conditions it was not built to hold.\n\nWhat emerges is not a simple failure of care.\n\nIt is a mismatch between the museum as inherited form and the museum as contemporary infrastructure.\n\nThe institution is still described as a guardian of objects. It now has to guard systems, access and information as well.\n\nThe unresolved question is how to build central responsibility without institutional capture.\n\nThe PAC report matters because it exposes the limit of the current settlement.\n\nAutonomy remains the principle. Risk has become collective.\n\nBetween those two conditions, the museum is being asked to hold more than its structure was built to carry.\n\n© ART Walkway. All Rights Reserved.",
"title": "UK Museums and the Limit of Autonomy",
"updatedAt": "2026-06-25T17:07:40.949Z"
}