The invisible risk of cyber attacks • Arthouse Cinema Hub

Whenever I visit an independent cinema, chances are high I will spot a post-it note behind the counter with the POS login written in black marker. And, let’s face it, this is still where many venues stand today on digital security.

Cinemas now rely on digital systems for almost everything - digital cinema systems, POS and payment tools, customer data, and network connections - and each one carries its own vulnerability.

It is still common practice to plug in USB sticks without thinking twice, to open attachments without checking the sender, or to share passwords across multiple staff members. Cinemas receive hundreds of emails every week for events, partnerships or sponsorships, and any one of them can be a phishing attempt.

Cyber threats are growing in frequency and sophistication, with generative AI making it easier to create convincing fake identities and turn routine exchanges into traps. The question is no longer whether you will be targeted but how prepared you will be when it happens.

Small and medium-sized businesses, often lacking dedicated IT capacity, are among the easiest targets. A 2025 Mastercard survey found that at least one in four European SMEs had fallen victim to cyber scammers. And the cost continues to rise: EU data shows the global cost of cybercrime doubled between 2015 and 2020 and is now estimated at €5.5 trillion per year.

Cinemas have not been exempt. More than seven years ago, Pathé Netherlands made headlines after falling victim to a scam that cost the company over 21 million euros. In early 2024, an attack on a Swedish IT provider caused several days of collateral shutdowns for major cinema chains’ websites across the country. Earlier this summer in the Baltics, a leading chain was hit by a ransomware, forcing venues to sell tickets only in person while systems were rebuilt. On 13 November, the Living Room Theaters, a small independent cinema in Portland, US, was randomly targeted, leaving the cinema completely unable to operate for a week.

And these are only the most visible cases. Many incidents go unreported, as victims often stay silent for fear of lasting reputational damage.

The risks are not only financial. A breach can halt operations for days and demand significant time and resources to repair. It also carries legal consequences, as cinemas must comply with rules such as the EU’s GDPR, with potential fines triggered by an attack.

Many in the industry are taking cybersecurity seriously. Chains are hiring IT or security managers - a role that barely existed in exhibition just a few years ago. Pathé Netherlands even runs a “responsible disclosure” programme, inviting ethical hackers to report potential vulnerabilities.

The topic is also rising on the collective agenda. The UNIC Technology Group, which brings together CTOs from major cinema chains, has made cybersecurity a top priority, exploring risks specific to cinema hardware and software.

Even for smaller operators, the message is clear: cybersecurity is now a shared responsibility. But what can you do at your scale, even without a dedicated IT specialist?

The good news is that most risks can be reduced through a few consistent habits. You don’t need advanced systems or a large budget - just awareness, discipline, and the understanding that digital security is part of day-to-day cinema operations.

In a recent presentation to Dutch cinema operators, Cathy Huis in ’t Veld-Esser from Gofilex and President of the European Digital Cinema Forum explained why many attacks succeed: hackers exploit our natural curiosity, desire to help, or fear to create urgency and prompt mistakes.

Here are practical steps recommended by experts including Cathy Huis in ’t Veld-Esser and Ricardo Ancona, Head of IT at Yorck Kinogruppe, combined with industry guidance and common-sense protocols. 

1. Strengthen passwords and enable two-factor authentication

• Use strong, unique passwords for every system.
• Limit administrator privileges to those who need them. Remove accounts for former staff and avoid shared logins.
• Each staff member should have their own account, and relying on a password manager is a simple, low-cost solution.
• Add a second verification step wherever possible.

2. Train your team and guard against social engineering

• Make staff aware of cyber threats, including suspicious emails, attachments, odd invoice requests, or unusual behaviour.
• Incorporate cybersecurity training into onboarding.
• Maintain simple protocols for handling unexpected calls, emails, or payment requests. Verify unusual requests through a known contact or in person.

3. Handle devices and systems carefully

• Treat USB drives as potential risks. Avoid plugging unknown devices into critical systems.
• Keep POS, projection, sound, office computers, routers, and network equipment up to date. Most attacks exploit outdated systems.
• Limit POS terminals to their intended use and maintain vendor support. Cover unused USB ports if needed.

4. Segment networks and control access

• Separate public WiFi, office computers, POS terminals, and projection servers to limit malware spread.
• Restrict administrator privileges and remove old accounts.

5. Physical security and network protections

• Restrict access to technical areas and protect hardware.
• Use firewalls and ensure they are properly configured and regularly updated.

6. Back up data and prepare for incidents

• Store backups offline or in a separate cloud account and test restoration processes at least once a year.
• Prepare a simple incident checklist: who to contact, what to switch off, how to isolate systems, and how to communicate internally and externally if a breach occurs.

These simple, manageable actions can dramatically reduce cyber risks. With awareness, pragmatic habits, and small, steady improvements, even the smallest venue can protect itself and its audiences.

Cybersecurity might feel distant, but it is now part of daily cinema operations. With the right mindset, it can become as natural as checking the projectors or welcoming guests.

And remember: it’s no longer a question of if you will be targeted, but how prepared you will be when it happens.

Header image: Hackers (Iain Softley, 1995), © Park Circus.