Cyber Resilience in Action: How Airports Kept Flying Through a Ransomware Attack

Articles
Written By Camille Stewart Gloster

Over the weekend, several major European airports, including Heathrow, Berlin-Brandenburg, Brussels, and Dublin, were hit by a ransomware attack on Collins Aerospace’s MUSE software, a third-party system used for check-ins, boarding passes, baggage tags, and baggage drop. The attack disabled much of the automated check-in and baggage drop processes, forcing airports to move to manual operations to keep flights moving .

The disruption caused delays, cancellations, and significant inconvenience. Brussels cancelled dozens of flights and even asked airlines to cancel roughly half of scheduled departures in some cases .

This incident reinforces the critical importance of planning not just for cyber defense, but for continuity when core systems are compromised. Every organization, big or small, must have a strategy to continue essential functions when faced with ransomware or other system-crippling attacks.

What They Did Well

  • They had fallback/manual processes ready. When automated systems failed, staff shifted to handwritten boarding passes and laptops or tablets to check passengers in.

  • The disruptions, while serious in some locations, did not ground all operations. Some airports managed to reduce delays over time as manual processes stabilized.

These are positive signs of prior planning, resilience, and rapid response.

However, we have a lot more to learn about the incident and the team’s actions. It is not yet clear whether the ransomware group has demanded payment, whether the airports or vendors have reliable backups to avoid paying, or how they will handle potential data exfiltration. It will be telling to see if their plan explicitly covers ransomware scenarios.

Ransomware: Context & Stats

  • The global cost of ransomware attacks is projected to reach US$57 billion annually in 2025 .

  • By 2031, ransomware damages could climb to US$265 billion per year .

  • The average cost per incident is US$1.85 million, factoring downtime, recovery, and reputational damage .

  • Attack frequency has increased ~13% over the past five years .

  • Only 17% of UK enterprises have paid ransom in 2025, the lowest rate recorded, as more organizations rely on backups .

The Cost of Not Planning

If you do not have a plan, the consequences escalate quickly:

  • Loss of operations = loss of revenue. Even short outages can erase days or weeks of sales, bookings, or service delivery. For small businesses, that can be existential. For large ones, the losses reach millions.

  • Erosion of consumer trust. Customers rarely forgive repeated outages or vague responses. Once trust is broken, it is hard to win back.

  • Compliance and regulatory exposure. In many industries, regulators expect operational resilience. A failure to plan can trigger investigations, fines, or lawsuits.

  • Reputational damage. News of outages spreads fast. The narrative is shaped by whether you appear prepared or blindsided.

Triage, Containment, and Remediation Steps

Here is how organizations should structure their response plans to incidents like this.

📍 Preparation (before an incident). This is (hopefully) where you are right now. Before an attack strikes, your job is to build the foundation of resilience. Inventory your critical systems, including those provided by third parties. Identify single points of failure. Define your “must run” functions: the services that cannot stop even if other systems go down. Develop manual or alternate processes. Test your backups regularly, simulate vendor outages, and ensure vendor contracts include requirements for cybersecurity, patching, and incident response.

Detection and triage. Monitor your systems for anomalies such as failed processes or unexpected behavior. Move quickly to identify the scope of an incident — which systems, vendors, or geographies are affected. Decide what must be contained immediately versus what can continue in a degraded state. Assemble your response team across IT, security, operations, vendors, legal, and communications.

Containment and isolation. Disconnect affected systems to prevent lateral spread. Switch to manual or alternate operations for critical functions, as airports did with handwritten boarding passes. Network segmentation helps limit an attacker’s reach. Engage vendors to secure patches or alternate versions of software.

Remediation and recovery. Apply updates and patches, audit and verify that systems are clean, and restore from backups where possible. Test that restored systems are functioning as intended. Monitor closely for signs of reinfection or residual compromise. Validate the vendor’s transparency and remediation process.

Communication and coordination. Keep stakeholders informed: customers, partners, regulators, and employees. Internally, brief staff so they know how to carry out manual procedures and avoid compromised systems. Externally, give customers and partners realistic expectations. In regulated sectors, coordinate with law enforcement or regulators as required.

Review and improvement. After the incident, run an after-action review. Identify what worked and what did not. Update your plans, improve vendor oversight, revisit insurance coverage, and train staff. Conduct drills and simulations to ensure the lessons stick. Consider investing in redundancy or additional resilience measures.

Why This Matters for Small and Large Companies Alike

  • Impact is about function, not size. Losing access to payments can be just as damaging for a small business as losing check-in is for an airport.

  • Third-party risk is pervasive. Most organizations rely on external software or services. If they fail, you feel it downstream.

  • Reputation and customer trust vanish quickly. A prepared response builds confidence. A chaotic one breeds doubt.

  • Costs compound. Lost revenue, legal exposure, fines, lawsuits, customer churn, and recovery costs pile up fast. For small businesses, one incident can close doors permanently. For large ones, ripple effects spread across supply chains and markets.

Call to Action

If your company does not yet have a robust cyber resilience plan:

  1. Map your critical dependencies, including third parties.

  2. Define what an acceptable disruption looks like and what must be protected.

  3. Develop fallback procedures for manual or alternate operations.

  4. Invest in regular drills that simulate vendor failure or ransomware compromise.

  5. Ensure your vendors are “cyber-responsible,” with transparent logging, timely updates, and clear incident response commitments.



The bottom line: The European airport ransomware incident shows that resilience planning works. Because airports had a plan to switch to manual operations, the disruption, though serious, did not escalate into full shutdown. Without a plan, the story could have been far worse. We should all keep an eye on how this incident unfolds — the response, recovery, and lessons learned will provide valuable insights to strengthen our own cyber resilience planning.

Note: The details in this article reflect the publicly available information on the European airport ransomware incident at the time of writing. Whether or not more information emerges, the need for this kind of resilience planning remains essential for every organization.

Summary image of the steps an organization should take.

This piece was originally published on Command Line with Camille. For more insights like this, subscribe to the weekly Substack from our founder, Camille Stewart Gloster, exploring cybersecurity, AI, and the future of resilience.

Camille Stewart Gloster
Next

Press Release: Parents Get First Toolkit to Help Kids Navigate AI, Cyberbullying, and New Online Threats