On October 19th, 2025, four men dressed as construction workers stole €102 million in French crown jewels from the Louvre Museum in just seven minutes. The heist was poorly executed—thieves dropped items and failed to target the most valuable pieces—yet they succeeded spectacularly. Why? Because the world's most visited museum had been ignoring basic cybersecurity warnings for over a decade. In this hot take, Noel Bradford examines the shocking details that emerged after the heist: the password to the Louvre's video surveillance system was "LOUVRE." Security software was protected by "THALES" (the vendor's name). Windows 2000 and Server 2003 systems were still in operation years after support ended. And a 2015 security audit with 40 pages of recommendations won't be fully implemented until 2032. This episode examines the consequences of institutions ignoring expert warnings, the importance of accountability, and what UK small businesses can learn from a €102 million failure. Spoiler: if your security is better than the Louvre's, you're doing something right. Key Message: Security failures often begin long before the day of the breach. They start years earlier when warnings go unaddressed. Key Takeaways The Louvre's password was "LOUVRE." If one of the world's most prestigious institutions used the building's name as its surveillance system password, your organisation probably has similar problems. Ten years of warnings, zero action - ANSSI identified critical vulnerabilities in 2014. Security upgrades recommended in 2015 won't be completed until 2032. Ignoring expert advice is organisational negligence. Resources aren't the problem - The Louvre had budget, expertise, and free government audits. They chose to prioritise palace restoration (€60M) over security infrastructure. It's about priorities, not resources. Hardware authentication solves password problems - FIDO2 security keys can't be guessed, phished, or compromised through weak passwords. At £30-50 per key, they're cheaper than one day of operational disruption. The accountability gap enables negligence - Government institutions face no consequences for catastrophic security failures, while UK SMBs receive ICO fines and potential closure for less. This double standard undermines security culture. Your security might be better than that of the Louvre. If you've enabled MFA, run supported operating systems, and have basic password policies, you're already ahead of a museum protecting the Mona Lisa. That's encouraging and concerning. Security failures often begin years before a breach - The October 2025 heist was made possible by decisions (or non-decisions) that stretched back to 2014. Prevention requires consistent action, not crisis response. Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations Accountability: Director retained position, no terminations, Culture Minister initially denied security failure Timeline: Security upgrades recommended in 2015 won't complete until 2032 KNP Logistics (Referenced) Industry: East Yorkshire haulage firm Incident: Ransomware attack, £850,000 ransom demand Outcome: Couldn't pay, business entered administration, 70 jobs lost Contrast: Small business faces closure; national institution faces no consequences Electoral Commission (Referenced) Incident: Data breach affecting 40 million UK voters Outcome: No job losses, no significant consequences Relevance: Government accountability gap vs private sector enforcement Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000