Heathrow and the MUSE Cyberattack: More Than Just Airport Delays

• by Anthony Orjally
• Advent IM Blog

When Heathrow and several other major European airports found themselves plunged into long queues, manual check-ins and delayed flights this September, the headlines focused on passenger disruption. The underlying story is more complex, and its implications reach far beyond irritated travellers.

The disruption stemmed from a cyberattack on MUSE (Multi-User System Environment), a shared platform developed by Collins Aerospace and used by airlines and airports to handle check-in, baggage and boarding. With MUSE offline, airports had little choice but to revert to paper and patience.

That surface story is only the beginning. This incident shines a light on systemic vulnerabilities in aviation and in the way we govern technology in critical national infrastructure.

A single point of failure

Shared platforms like MUSE deliver efficiency and scalability. One vendor system allows dozens of airlines to share desks, kiosks and gates. But efficiency comes with concentration risk. When MUSE failed, the failure cascaded across airports in multiple countries at once. For many organisations, this will be a wake-up call: vendor concentration isn’t simply a cost issue – it’s a strategic risk.

The unintended consequences

The obvious problems were queues and cancellations. The less visible consequences may prove more costly:

• Regulatory cascade: NIS2 and its UK equivalents mean regulators will dig deeper than the immediate outage. Broader reviews of resilience, governance, and supplier oversight are likely.
• Contractual disputes: Airlines and airports will be testing their SLAs with Collins Aerospace. Liability, compensation, and service obligations could end up in arbitration or litigation.
• Insurance impact: A wave of claims will sharpen the focus of cyber insurers. Premiums and terms may harden, particularly around shared-system dependencies.
• Passenger trust: Confidence in airports and airlines depends on smooth, reliable service. If travellers start to view these systems as fragile, reputations will suffer long after the queues have cleared.
• Operational diversion: When leadership and resources are consumed by incident recovery, other projects – modernisation, maintenance, resilience upgrades – often stall, creating vulnerabilities of their own.

Beyond the check-in desk

The pressing question now is whether the attack was contained to MUSE or if it provided attackers with a foothold elsewhere.

Airports are complex ecosystems of interconnected networks: from baggage handling and retail systems to access control and fuel pumps. If segmentation is weak, a compromise in one system can provide pathways into others.

Vendor access rights create further risk. Shared platforms often mean shared credentials and remote access arrangements. If these were abused, attackers could attempt to pivot deeper into airport networks.

There’s also the prospect of data exposure. Passenger manifests, staff rosters or operational diagrams are valuable targets. Even if the immediate attack was focused on disruption, it may have doubled as reconnaissance for future campaigns.

What comes next

The most likely developments include:

• Detailed investigation reports from Collins Aerospace, regulators, and national security agencies.
• Regulatory pressure to treat shared aviation systems as critical infrastructure with higher assurance obligations.
• Vendor diversification, as airports and airlines look to reduce their reliance on single suppliers.
• Wider audits across other sectors: if MUSE was vulnerable, what about healthcare scheduling systems, utilities management, or defence logistics software?
• Board-level action to embed supply-chain risk more deeply into governance and assurance frameworks.

If attribution identifies criminal groups, the focus will be resilience and recovery. If state involvement is suggested, the political consequences will stretch far wider than aviation.

The bigger lesson

The Heathrow incident is not just an IT disruption; it’s a governance problem. It demonstrates the fragility of shared systems when vendor resilience is taken on trust. It shows how operational efficiency can tip into systemic risk. And it underlines the importance of treating supply-chain dependencies as core to enterprise risk management, not as a footnote.

For Government, Defence and critical national infrastructure, the message is unavoidable: shared systems that underpin essential services must be stress-tested, regulated, and continuously assured. Trust without verification is not resilience.

By Ellie Hurst, Commercial Director.