Heathrow cyber attack: What happened, impact, and lessons for resilience

London, 22 September 2025 - Heathrow is working through a second day of disruption after a cyber attack on a third‑party airline systems provider crippled automated check‑in and boarding across multiple European airports, forcing manual processing and causing long queues, delays, and cancellations

What we know so far

Authorities and airport operators say the incident targeted Collins Aerospace’s “Muse” passenger handling software, which enables shared check‑in desks and boarding gates at hundreds of airports. The outage disrupted electronic check‑in and baggage drop, but aviation safety and air traffic control were not affected, according to European authorities. Heathrow has confirmed recovery efforts continue and that the majority of flights have operated, with passengers advised to check flight status before travelling.

The UK National Cyber Security Centre (NCSC) is working with Collins Aerospace, affected airports, the Department for Transport, and law enforcement to understand the impact, while the EU’s cybersecurity bodies say current signs do not indicate a widespread or severe attack.

Attribution remains unclear. Terror law watchdog Jonathan Hall KC cautioned that capable private actors or state‑linked groups could be responsible, noting the “deniable” nature of such operations.

Official guidance for passengers

Heathrow advised passengers to verify flight status before leaving for the airport and to arrive no earlier than three hours for long‑haul and two hours for short‑haul flights while recovery continues. Brussels Airport issued similar warnings as disruptions persisted into Monday.

What authorities and experts are saying

The European Commission said it is closely monitoring the incident alongside EUROCONTROL and ENISA, reiterating that aviation safety and ATC were unaffected. UK authorities confirmed active coordination with sector and law‑enforcement partners. ENISA indicated the disruption followed a third‑party ransomware attack affecting automated check‑in systems, with law enforcement engaged.

Why this matters: supply chain risk in aviation

This incident underscores systemic supply chain risk: by compromising a widely used external service provider, attackers triggered cascading disruption across multiple airports and airlines simultaneously. It mirrors a broader trend of attackers targeting shared platforms to maximise operational and reputational impact.

Practical lessons for airports, airlines, and critical suppliers

• Resilience by design: Maintain manual fallback procedures, local check‑in capacity, and segregated backups so critical passenger flows can continue when shared systems fail.

• Vendor assurance: Treat third‑party platforms as extensions of your own risk surface. Require evidence of patching cadence, incident response maturity, segmentation, and ransomware playbooks.

• Business continuity exercises: Regularly test airport–airline–vendor joint incident drills, including communications under high passenger volume.

• Data minimization and access control: Limit lateral movement risk with least‑privilege access, MFA, and network segmentation around check‑in and baggage systems.

• Telemetry and tabletop readiness: Ensure logging spans supplier interfaces and that crisis comms plans include clear, time‑boxed passenger guidance.