Britain’s leading museums and galleries are being left exposed to cyber-attacks, theft and weak oversight because government support has been too reactive and lacks clear follow-through, MPs have warned.The Public Accounts Committee said the Department for Culture, Media and Sport had not shown enough leadership in helping 15 government-sponsored museums and galleries respond to fast-moving digital and physical security threats. The warning follows a parliamentary examination of the financial resilience of national cultural institutions, where cyber risk emerged as a major concern alongside pressure on income, governance gaps and the security of collections.
The committee pointed to the October 2023 ransomware attack on the British Library and the thefts reported at the British Museum in 2023 as evidence that some of the UK’s most important cultural bodies face risks that can damage public access, compromise records and undermine confidence in the stewardship of national collections. MPs said lessons had been shared across the sector, but the department could not provide specific examples of concrete action taken as a result to better protect systems and collections.
The findings sharpen scrutiny of a sector that holds nationally significant assets while relying increasingly on digital catalogues, online ticketing, e-commerce, donor databases and networked back-office systems. A cyber breach can disrupt access to reading rooms, exhibitions, payments and archives, while poor digital records can make it harder to identify missing objects, track loans and establish accountability when collections are compromised.
The British Library attack became one of the most damaging cyber incidents to affect a UK cultural institution. Services were disrupted for months after hackers infiltrated systems, stole data and forced a long recovery process. The institution did not pay the ransom and instead began rebuilding parts of its technology estate, with recovery costs running into several million pounds. The case has become a warning for public bodies that hold sensitive information but often operate with constrained budgets and ageing infrastructure.
The British Museum has faced a separate crisis over missing, stolen and damaged objects, with about 2,000 items believed to have been affected. The episode exposed weaknesses in internal controls, record keeping and escalation mechanisms. The museum has since moved to accelerate digitisation of its collection, but MPs said the wider sector needed a more systematic approach to security, not only institution-by-institution learning after failures occur.
The committee said DCMS was over-reliant on the autonomy of museums and galleries, despite providing nearly half of their income through grant-in-aid. The 15 sponsored institutions received £484 million in grant-in-aid in 2024-25, about a quarter of the department’s overall spending. Self-generated income reached £563 million in the same year, a 53 per cent real-terms rise since 2021-22, driven by exhibitions, retail, venue hire, hospitality and other commercial activity.
Financial improvement has not removed underlying fragility. Visitor numbers remain below pre-pandemic levels, while staff, energy, maintenance and storage costs have risen. Government funding has fallen by 16 per cent in real terms since emergency pandemic support ended, leaving institutions under pressure to expand commercial activity without weakening public access to permanent collections.
MPs also criticised gaps in performance monitoring. They said the department did not have a clear enough picture of whether museums and galleries were delivering value for taxpayers, or how they were contributing to broader cultural and social outcomes set by ministers. The committee called for clear metrics within six months, including consequences for institutions that fail to meet expectations.
Cybersecurity is increasingly linked to these financial and governance pressures. Museums and galleries must protect digital infrastructure while investing in conservation, estates, staffing and access. Many also depend on external suppliers for ticketing, payments, cloud services and specialist systems, making supply-chain risk a growing concern. The government’s wider cyber action plan for public bodies aims to strengthen resilience by 2030, but the committee’s report suggests cultural institutions need more targeted support before the next major incident.
DCMS told MPs it was working with sponsored bodies on central advice for cyber-resilience, skills shortages and shared materials that could be used across arm’s-length bodies. It has also been bringing together chief digital information officers and security leads in new forums, and has allocated a small amount of departmental funding this year to support the work.
The committee said such steps did not yet amount to a strategic response. It urged the department to set out the concrete actions it and museums have taken, and are taking, to address cyber and physical security threats. MPs said confidentiality could be respected where necessary, but the department needed to show that learning from past incidents had translated into stronger controls.
Topics
Technology