When check-in systems go dark: Europe’s airport outage and what it means for you

The headline: A ransomware attack on a third-party airport software provider cascaded across Europe, forcing manual check-ins, handwritten boarding passes, long lines, and cancellations at major hubs including Heathrow, Brussels, and Berlin. Investigations tied the disruption to Collins Aerospace’s MUSE platform; the EU’s cybersecurity agency confirmed ransomware as the cause, and UK police arrested a suspect days later.^[1]^[2]^[3]^[4]

If you were traveling, you felt it. Heathrow warned of delays for departing passengers; Brussels shifted to iPads/laptops when e-check-in failed and canceled dozens of flights; Berlin’s recovery lagged with continued disruption mid-week. Some airports (e.g., Frankfurt) were unaffected; Barcelona saw heightened attention but largely normal ops, per local reporting.^[1]^[5]^[6]

What happened (Fri → Wed)

Fri night → Sat: A cyberattack hit Collins Aerospace systems used for passenger check-in/boarding at several European airports. Airlines fell back to manual processes; Heathrow, Brussels, and Berlin warned travelers to expect delays and to check with airlines before leaving home.^[1]^[7]
Sun: Disruption eased in some hubs, but delays and cancellations continued as systems were restored in phases.^[7]
Mon: ENISA confirmed ransomware as the root cause; airports reported mixed recovery — Brussels still canceling flights and using manual intake; Berlin warned of continued delays.^[2]
Wed: UK authorities arrested a suspect; investigations continued as Collins worked to fully restore MUSE.^[3]^[4]

Key point: this was a third-party blast radius event. Airlines and airports that don’t share networks saw their customer experience crater because they shared a vendor dependency.^[1]

Why it matters (beyond aviation)

This wasn’t a safety incident; it was a customer-journey incident. Planes didn’t fall out of the sky — intake, queuing, and status for travelers broke. Swap “passengers” for “patients,” “citizens,” or “customers,” and you get the same pattern many enterprises face when a vendor’s SaaS or integration point fails. If your intake and self-service are down, your whole organization feels down.^[1]^[2]

What to change this week (enterprise playbook)

1) Design “Manual Mode” you can switch on in 2 hours. Pre-approve a static status page on separate hosting/DNS with the essentials: what’s down, what still works, how to get service now, and when the next update lands. Build a simple intake (alternate form in a clean tenant) that exports to CSV. Publish an expanded phone tree and extend hours as needed. Airports that did this reduced chaos; those that didn’t saw confusion pile up.^[1]
2) Separate “read” from “write”. For customer portals, split the plane that shows data (availability, status, KB) from the plane that accepts requests (orders, bookings). In an incident, restore read first to deflect calls, then bring write back in stages with rate limits.^[7]
3) Make vendor continuity testable. Update contracts with functional continuity SLAs: if the app is down, the vendor must accept CSV intake by S+4h via secure portal, re-ingest daily, provide named 24/7 tech contacts, and join tabletops twice a year. Your customers don’t care whose logo failed.^[1]
4) Publish on a cadence. Set fixed times (e.g., 10:00/16:00 local) for updates, even if the update is “no change.” Clear cadence keeps the public calmer and aligns staff.^[6]
5) Identity & access hygiene (incl. vendors). Enforce hardware-key MFA on admin accounts, just-in-time access for vendors, and block standing VPN/service accounts. Many third-party incidents start with credential compromise before ransomware deploys.^[2]
6) Prove a clean-environment intake. During ransomware investigations, contaminated environments stay quarantined. Show you can stand up a clean intake path in 24–48 hours while forensics continue (tablets on alt networks, separate tenant forms, CSV backlog processing).

Metrics that actually matter

Time to first public update (< 60 minutes from detection/notification).
Time to functional continuity (how fast can customers submit requests again — even in degraded mode?).
% of top customer journeys with a manual fallback (target your top five).
Vendor tabletop participation rate (100% for Tier-1 providers).
Deflection from read-first plan (how much status/FAQ reduced inbound calls).

48-hour checklist (steal this)

Spin up a static status site on independent hosting + DNS.
Add a “Manual Mode” page for each of your top 5 customer journeys with: what works, how to get service, and next update time.
Draft a CSV schema (minimum fields) and confirm a secure submission path with vendors.
Update runbooks so the Service Desk knows precisely what to say and where to redirect.
Schedule a 60-minute tabletop with your Tier-1 vendor and internal owners this week; assign action items and a due date.
Turn on hardware-key MFA for all privileged admins and begin rolling it out to vendor admins.

AI trend to watch (brief)

US CAISI + UK AISI deepen hands-on testing with OpenAI & Anthropic. NIST’s Center for AI Standards & Innovation reported new collaborative work with labs to identify security issues and bolster measurement, alongside lab blogs describing concrete improvements from government evaluations. For IT leaders, this points to near-term, practical testing protocols you can map to your own AI risk program (prompt-injection tests, model red-team scopes, release gates tied to capability assessments).^[A1]^[A2]