One would think that the most visited museum in the world, housing priceless artwork and archaeological finds, would have a robust security measure and be prepared for anything. However, on 19 October 2025, one of the most dramatic recent thefts unfolded at the Louvre Museum in Paris. Disguised as construction workers, a group of thieves used a truck-mounted lift to reach a window of the Galerie d’Apollon, home to France’s crown jewels and priceless historic artefacts. Within just four minutes inside the museum, and less than eight minutes total on site, they broke through the glass, seized eight historic pieces of jewellery, and vanished into the streets of Paris.
The incident is a painful case study for any security-risk management professional: when security is deprioritised, even a famed institution becomes vulnerable.
So, what went wrong? Cracks Beneath the Masterpieces
The museum’s security measures have come under scrutiny in the wake of the heist.
In the weeks following the heist, investigations and parliamentary hearings revealed a troubling picture of chronic underinvestment, outdated systems, and delayed responses to well-documented vulnerabilities. Despite the museum’s reputation and significant role as a national symbol: tens of thousands of square metres, millions of visitors – security had long been a low priority compared to other concerns. To quote the French culture minister Rachida Dati, it was the “chronic, structural underestimation of the risk of intrusions and theft” which made Louvre vulnerable to the kind of heist the museum experienced in October.
The Louvre’s director, Laurence des Cars, testified before the French Senate that the single camera positioned outside the Apollo Gallery faced west, meaning the window through which the thieves entered was completely outside its view. The lack of adequate surveillance coverage in such a critical area revealed not a single-point failure, but a systemic problem: risk assessments and security updates had not kept pace with the scale and complexity of the museum’s operations.
To make matters worse, a confidential audit by France’s National Agency for the Security of Information Systems (ANSSI) as far bas as 2014, highlighted serious cybersecurity weaknesses. Investigators discovered that Louvre’s video surveillance system used the password “LOUVRE”, while another network operated by the defence and cybersecurity firm Thales relied on the equally weak credential “THALES.” Even more concerning, the museum’s automation infrastructure was still running on Windows 2000, an operating system that had been unsupported by Microsoft since 2010, leaving it exposed to well-known vulnerabilities.
A follow-up audit, commissioned by the National Institute for Advanced Studies in Security and Justice (INHESJ) and completed in 2017, confirmed many of the same problems. The confidential report described continued reliance on obsolete technology, weak password practices, and poor coordination between the museum’s physical and digital security systems. Despite these clear warnings, little progress was made. Journalists found that as late as 2021, the museum was still using outdated operating systems, suggesting that many of the recommendations had not been meaningfully implemented.
The Louvre’s budget priorities painted a equally concerning picture. Between 2018 and 2024, only about €3 million was allocated to security upgrades, despite internal estimates suggesting that approximately €83 million would have been necessary to modernise its systems. Auditors later noted that decision-making at the museum often favoured “more exciting” investments (such as exhibition projects and aesthetic renovations) at the expense of security and infrastructure.
Lessons for Security
The Louvre heist underscores several enduring truths about risk and resilience. No institution — no matter how prestigious — is immune to complacency. Security systems are only as effective as the leadership that prioritises their upkeep.
Years of deferred updates and ignored audit recommendations created the conditions for this breach long before the thieves arrived at the museum’s window. The heist exposed the consequences of what happens when risk management becomes reactive rather than proactive.
For security professionals, this case is a potent argument for proactive investment. Audit findings are only useful when acted upon. Surveillance systems must not only exist but provide real coverage, with operational oversight ensuring they are positioned, maintained, and monitored effectively. Digital infrastructure, including everything from password hygiene to operating systems, must be up to best standards and be continuously updated to withstand evolving threats.
Additionally, security professionals must learn to frame their warnings in business terms that resonate with stakeholders. It is not enough to say that a system is outdated or a window unguarded; the conversation must quantify the potential consequences. For the Louvre, the heist was not merely a hard-learned lesson, but a national humiliation.
For the rest of the world’s cultural institutions – or rather for every organisation with high-value assets – the lesson is clear: security cannot be postponed, deprioritised, or underfunded without facing the consequences.
