Supply Chain Risk: How a Shared Software Target Disrupted Heathrow & Brussels in One Weekend
- Reto Zeidler
- Sep 22
- 2 min read
Between Fri night, 19 Sept, and Sun, 21 Sept 2025, ransomware targeting Collins Aerospace’s MUSE check-in/boarding software disrupted multiple European hubs, most visibly Heathrow and Brussels. ENISA confirmed ransomware; attribution remains unknown at this time. Brussels scrapped up to 50% of Monday departures; Heathrow kept most flights running with workarounds. Impact: widespread delays, cancellations, and manual processing.
What happened?
Late on Friday (19 Sept), airports began reporting failures in passenger check-in/boarding systems supplied by Collins Aerospace. By Saturday, the outage rippled across several hubs, forcing manual workarounds (handwritten boarding passes, backup laptops) and causing delays/cancellations. Heathrow said “the vast majority” of flights continued, using airline backups; roughly half of carriers had some online capability by Sunday, including BA. Berlin experienced manual boarding for some airlines. Brussels was hit hardest, with authorities asking airlines to cancel up to 50% of Sunday operations and warning of continued disruption into Monday. ENISA told media that ransomware was used, and law enforcement was engaged. Collins described a “cyber incident,” focusing on software updates and recovery, while internal Heathrow communications urged continued manual boarding during restoration.
What we know
Confirmed facts (as of Mon, 22 Sept 2025):
Vector/target: The incident centered on Collins Aerospace’s MUSE check-in/boarding platform used by multiple airports/airlines.
Type of attack: ENISA confirmed ransomware affecting automatic check-in systems; law enforcement is involved. Attribution is unknown.
Operational impact: Heathrow maintained most flights via workarounds; Brussels faced the heaviest disruption, asking airlines to cancel up to 50% of departures and continuing manual/online hybrid check-in into Monday (40 of 277 departures canceled Monday; additional arrival cancellations).
Supplier stance: Collins/RTX referred to a “cyber-related disruption” and focused on software updates and restoration.
What’s plausible/speculative:
Persistence and scale: Internal notes (seen by media) described >1,000 systems “corrupted” and suggested reinfection/persistence concerns during rebuild, details not confirmed by Collins.
Ransom/payment: No verified public information on demands or payments as of this writing.
Context and recent patterns (last 24 months):
Sector trendline: Aviation/transport is a high-value, heavily interconnected target; supply-chain exposure means a single vendor compromise can cascade across borders.
Volume spike: A June report cited by multiple outlets notes a ~600% increase in aviation cyberattacks year-over-year into 2025—consistent with the scale and speed of this weekend’s spillover.
Recent analogs: European/Asian airports have faced recurring cyber disruptions in the past year, with impacts ranging from DDoS on web properties to operational technology and airline/ground-handling IT issues—again reflecting shared-system risk.
Takeaway
The Heathrow–Brussels correlation isn’t coincidence; it’s the by-product of shared reliance on a third-party platform. The incident underscores supply-chain risk, the need for resilient fallback procedures (manual/backup systems), and coordinated vendor/customer recovery playbooks when disruption enters a critical service stack.
Sources
Comments