Back to Blog

The Louvre Protected $102M in Crown Jewels With Password "LOUVRE" (For 11 Years)

📅 November 6, 2025 ⏱️ 9 min read 🔍 Security Breach Analysis
Last Updated: November 6, 2025

Three security audits. Eleven years of warnings. Zero fixes. Here's what every organization needs to learn from the world's most expensive password failure.

Louvre Museum at sunset

TL;DR: The 90-Second Version

  • October 19, 2025: Thieves stole $102M in French crown jewels from the Louvre in an 8-minute daylight heist
  • The password protecting the museum's CCTV system: "LOUVRE" (discovered in 2014 audit, never changed)
  • Security software password: "THALES" (literally the vendor's name)
  • Systems still running: Windows Server 2003 (unsupported since 2015)
  • Camera coverage: 39% of galleries had any CCTV at all
  • Budget priorities 2018-2024: €105M on art purchases, €27M on security
  • Result: $102M gone in 8 minutes, global embarrassment, case study in how NOT to manage security

I've spent over a decade consulting with Fortune 500 companies on observability and security. I've seen brilliant engineers use "CompanyName2024!" everywhere. I've watched organizations run Windows XP in production because "it still works."

But I've never seen an organization ignore three major security audits for eleven consecutive years while spending more on art than infrastructure.

Until the Louvre.

This isn't just about a museum. This is about every organization that treats security as overhead instead of insurance. Every company that thinks "it hasn't happened yet" means "it won't happen." Every leadership team that prioritizes visible projects over invisible protection.

What Actually Happened

October 19, 2025. 9:30 AM. Sunday morning.

Four men in construction vests pulled up to the Louvre in a truck with a furniture lift. They extended the lift to a second-floor balcony, used power grinders to cut through a window, and broke into the Apollo Gallery—home to France's crown jewels.

Seven minutes later, they escaped with nine pieces of Napoleonic-era jewelry worth €88 million ($102M). They dropped Empress Eugénie's tiara (2,000 diamonds, 200 pearls) during their escape but vanished into Paris traffic with everything else.

The single exterior camera monitoring that section? Facing the wrong direction.

This wasn't Ocean's Eleven with laser grids and vault-cracking. This was four guys with power tools during museum hours.

And it worked because the security protecting $102 million in irreplaceable artifacts was built on passwords like "LOUVRE" and software running Windows Server 2003.

The Password Nobody Fixed (Despite Three Warnings)

In December 2014, France's National Cybersecurity Agency (ANSSI) tested the Louvre's security. Their confidential 26-page report—later obtained by French newspaper Libération—found something simultaneously hilarious and horrifying:

CCTV server password: LOUVRE

Security software password: THALES

Not "L0UVR3!" with substitutions. Not "Louvre2014" with a year. Just the literal names.

ANSSI's penetration testers demonstrated they could:

They recommended immediate password changes and system upgrades.

According to multiple sources including an ABC News report citing a museum employee with direct system knowledge: "LOUVRE" remained the password at the time of the October 2025 heist.

That's eleven years. Zero substantive changes.

The Pattern of Ignored Warnings

2014 ANSSI Audit: Discovers "LOUVRE" password, Windows 2000 systems without antivirus, demonstrates network infiltration. Recommends immediate fixes.

2017 Follow-Up Audit: 40-page report describes "serious shortcomings"—accessible rooftops, malfunctioning equipment, outdated surveillance, no password policies. Warns: "The museum can no longer ignore the potential threat of an attack with potentially dramatic consequences."

2019: Internal docs note surveillance software can't be updated. Vendor discontinued support years earlier.

2025 Pre-Heist: Paris Police audit confirms systems "truly needed modernization." Software still running on Windows Server 2003—unsupported by Microsoft for 10 years.

October 19, 2025: Thieves break in. Systems fail. $102M disappears.

Security experts identified critical vulnerabilities. Wrote detailed reports. Demonstrated exploits. Provided recommendations.

Eleven years later, when thieves arrived, those same systems were protecting the crown jewels.

The Budget That Told the Real Story

On November 6, 2025, France's Court of Accounts released a damning report on the Louvre's budget priorities (2018-2024):

Security & Maintenance: €87 million total

Art Acquisitions: €105 million

The museum spent 20% more buying art than protecting it.

Some highlights from that shopping spree:

Meanwhile, security upgrades recommended in 2015? Won't be complete until 2032—seventeen years after identification.

The Louvre operates on a €323 million annual budget. This wasn't underfunding because money didn't exist. This was deliberate deprioritization.

The infrastructure numbers:

Compare: Detroit Institute of Arts, similar size, 550+ cameras.

Pierre Moscovici, president of the Court of Accounts, said museum leadership prioritized "visible and attractive" projects—art purchases and renovations—over fundamental security infrastructure.

Why This Matters Beyond Museums

I work with enterprise teams implementing monitoring and observability solutions. I see this pattern constantly.

Leadership invests in customer-facing features, revenue-generating initiatives, visible improvements that show up in demos.

Meanwhile, infrastructure—monitoring systems, security layers, backup procedures—gets "next quarter" treatment until something catastrophic forces action.

The Louvre's failure exposes three universal vulnerabilities:

1. Legacy System Risk Compounding

"If it ain't broke, don't fix it" becomes the operating principle.

Except in security, "broke" means "already compromised"—you just haven't discovered it yet.

Windows Server 2003 hasn't received security patches since 2015. Every day it remains in production, the attack surface grows. Every unpatched vulnerability becomes a documented entry point in public exploit databases.

The Louvre ran this software for ten years past end-of-support. That's not technical debt. That's technical bankruptcy.

2. The Audit-to-Action Gap

Multiple assessments. Documented findings. Established timelines.

Zero substantive changes.

This is the Achilles heel of security programs everywhere. Identification without remediation. Reporting without accountability. Plans without execution.

Security audits generate findings. Leadership generates acknowledgments. Then budget cycles happen, priorities shift, and findings gather digital dust.

The gap between "we know this is a problem" and "we fixed it" is where breaches live.

3. Budget Misalignment With Risk

The Louvre had money. They chose not to spend it on security.

The calculation is simple: What's the cost of prevention versus the cost of breach?

For the Louvre: €27M in deferred security versus €88M in stolen assets plus immeasurable reputational damage plus investigation costs plus insurance implications plus cultural loss of irreplaceable historical artifacts.

That math doesn't just fail to add up. It actively creates liability.

How to Actually Protect Your Organization

Whether you're running a museum, SaaS platform, or healthcare network, these principles apply:

Stop Using Your Organization's Name as a Password

This should be obvious, but apparently needs stating: Never use company names, product names, vendor names, or dictionary words as passwords.

Use password managers. Require 14+ characters minimum. Better yet, use passphrases—four random words create exponentially more entropy than complex gibberish.

Enable MFA everywhere. Authenticator apps or hardware keys—not SMS (vulnerable to SIM swapping).

Create a Legacy System Sunset Policy With Teeth

Identify every system running unsupported software or outdated operating systems. Not "we'll get to it"—actual enumeration with owners and deadlines.

If a system can't be upgraded, isolate it or decommission it.

"It still works" is not a security strategy. "It still receives patches" is the baseline.

Close the Audit-to-Action Gap

Assign executive ownership to each critical vulnerability. Set public deadlines. Track progress in leadership reviews. Make security metrics visible to boards.

The gap between identification and remediation is measured in risk. The Louvre's gap was eleven years. What's yours?

Rebalance Security Budgets Against Actual Risk

Calculate breach cost: regulatory fines, incident response, operational disruption, reputational damage, customer churn, insurance.

Compare to preventive measures. Security should be funded proportional to risk—not as discretionary overhead.

Prevention is always cheaper than response.

Deploy Adequate Monitoring Coverage

The Louvre's 432 cameras covering 39% of galleries isn't monitoring—it's theater.

If you're investing in surveillance, ensure coverage actually detects threats. Gaps in visibility are gaps in security.

This applies to digital observability too. Monitoring 40% of infrastructure means you're blind to 60% of risk.

Conduct Regular Penetration Testing

ANSSI found "LOUVRE" during 2014 pen testing. If the museum had continued annual testing, someone would have flagged the persisting vulnerability.

Security assessments aren't one-time events. They're ongoing validation.

Schedule testing annually. Hire external firms who aren't invested in making you look good. Fix what they find before attackers do.

Create Executive Accountability

Security can't be delegated entirely to IT. Leadership must own risk decisions.

When audits identify critical vulnerabilities and those vulnerabilities remain unpatched for years, that's governance failure.

In your organization: Who owns security? Not "who implements it"—who is accountable when it fails?

Protect Your Organization: Complete Security Stack

Layer 1: Password Manager
→ Use a reputable password manager with strong encryption
→ Generate unique, complex passwords for every account
→ Never reuse passwords or use organization names

Layer 2: VPN for Network Security
NordVPN encrypts all network traffic
→ Protects against man-in-the-middle attacks
→ Essential for remote access and public WiFi

Layer 3: Multi-Factor Authentication
→ Enable MFA on all critical systems
→ Use authenticator apps or hardware keys
→ Never rely solely on passwords

Total cost: Less than $5/month for enterprise-grade security

Affiliate Disclosure: Some links in this article are affiliate links to Nord Security products, which means we earn a small commission if you make a purchase. This doesn't affect your price and helps us continue creating free security education content like the Password Game and our breach analysis research. We only recommend products we personally use in our consulting work and trust with our own security. Your trust matters more than any commission.

Get NordVPN (60% Off 2-Year Plan) →

What We Still Don't Know

Several critical questions remain unanswered:

Did the password change between 2014-2025? ANSSI won't confirm. An ABC News source says "LOUVRE" was active during the heist. If accurate, that's eleven years of known vulnerability.

Did thieves exploit digital vulnerabilities? We know they used power tools. We don't know if they accessed the network to disable cameras first. The degraded digital security created that option whether they used it or not.

Which audit recommendations were implemented? Three assessments over eleven years. Lots of findings. Which got fixed? Which got deferred?

What other systems remain compromised? If CCTV was "LOUVRE" for eleven years, what other credentials are weak? What other legacy systems are running past end-of-support?

FAQ: The Questions Everyone's Asking

Were any jewels recovered?

Partially. Empress Eugénie's tiara was recovered near the scene—thieves dropped it. The remaining $100M+ in pieces are still missing. Four suspects charged, at least one person still at large.

Was the password still "LOUVRE" during the heist?

According to ABC News citing a museum employee with system knowledge: yes. ANSSI discovered it in 2014, source confirms it remained active October 2025.

Why wasn't anyone fired?

Director des Cars offered resignation. Culture Minister Dati declined. Zero terminations as of November 6. Des Cars inherited the mess in 2021—problems predate her by a decade.

What's the Louvre doing now?

New security plan: next-gen cameras, perimeter detection, new control center. Des Cars plans to double camera coverage.

But—Court of Accounts report says 2015 audit upgrades won't be complete until 2032.

Could thieves access the system remotely?

Based on 2014 findings: absolutely. Pen testers demonstrated they could manipulate feeds and access remotely. Whether thieves exploited this during the heist remains unclear.

The degraded posture made remote compromise possible. That's risk regardless of exploitation.

How does Louvre security compare to other museums?

Poorly. Louvre: 432 cameras, 39% coverage, 652K sq ft. Detroit Institute of Arts: 550+ cameras, similar size.

Industry best practices recommend comprehensive coverage with redundant systems and regular upgrades. The Louvre's infrastructure was demonstrably inadequate.

The Uncomfortable Truth About Security Theater

The Louvre had security systems. Multiple layers. Cameras, alarms, guards, protocols.

On paper, they looked protected.

In practice: 61% of galleries had no cameras. Exterior camera misaligned. CCTV password was "LOUVRE." Systems ran Windows Server 2003.

That's not security. That's security theater.

The appearance of protection without substance. Compliance checkbox without actual control. Audit acknowledgment without remediation.

How many of your security controls are actually controls versus theater? How many audit findings from last year are still open? How many legacy systems are you running past end-of-support?

I've analyzed 50,000 breached passwords. I've helped organizations implement observability across distributed systems. I've sat in meetings where security gets "next quarter" treatment because it's not revenue-generating.

The pattern is always the same:

We know there's a problem. We acknowledge the risk. We document findings. We establish timelines. We allocate insufficient budget. We defer critical upgrades. We prioritize everything else.

Until something breaks. Until credentials leak. Until attackers exploit the vulnerability we documented three years ago. Until $102 million disappears.

Then suddenly security becomes the top priority.

The Louvre just paid $102 million to learn what every security professional already knows: prevention is always cheaper than response.

Your Move: What You Do Next

You've read this far because something resonated. Your organization has its own version of "LOUVRE" somewhere in production.

Here's what you do:

This Week:

This Month:

This Quarter:

This Year:

You don't have to be perfect. You have to be better than yesterday.

The Louvre spent eleven years not being better.

Don't be the Louvre.

Want to Test Your Security Knowledge?

Think you understand password security? Our Password Game teaches entropy through 5 progressive challenges.

Used by Fortune 500 companies for security training. 75% retention vs 5% for traditional methods.

Play the Password Game →

Sources & Evidence

Last updated: November 6, 2025