Heathrow Cyber Incident: Lessons in Resilience and Incident Response

As regulators mandate resilience in business operations, what can others learn from the cyberattack on a supplier that impacted Heathrow and its peers in Europe?

In September, a cyberattack on software supplier Collins Aerospace led to long delays at a number of European airports, including London Heathrow. The attack impacted Collins’ Muse passenger processing software, used by airlines to handle online check-in and baggage systems at the airports.

At the time, many of the headlines focused on disruption and passenger frustration, yet perhaps the more interesting story is that Heathrow’s operations didn’t grind to a halt. The airport kept functioning, albeit in a degraded mode, thanks to fallback procedures in place before the incident happened.

It comes at a time when the risk of cyberattack is surging. There has been a 600% increase in ransomware attacks in the aviation sector in one year, according to Thales.

Taking figures such as these into account, governments and regulators are preparing for a future where preventing cyber incidents isn’t possible. It’s far more important that organisations can keep operations running when they do take place.

As regulators mandate resilience in business operations, what can others learn from the cyberattack that impacted Heathrow and its peers in Europe?

The Line Between Disruption and Disaster

The airport’s response helped it to keep going even when under attack. To its credit, Heathrow’s focus was on keeping essential operations moving, even if its core functions slowed down and caused visible disruption, says Becky White, senior solicitor in Harper James’ data protection and privacy team.

“The priority was maintaining safe travel, rather than preserving a smooth passenger experience,” she tells IO. “By switching to pre-planned manual processes and separating critical systems from those affected, they were able to absorb the shock, rather than collapse under it.”

Disaster would have meant a shutdown of air traffic and passenger processing altogether, whereas disruption meant queues, delays and workarounds. Heathrow had “clearly invested in fallback procedures that didn’t rely on perfect conditions”, White points out. “When systems failed, staff knew what ‘good enough to stay open’ looked like, and they acted on it.

Learnings for Other Sectors

Others should be taking note, especially those operating in critical sectors where downtime is not an option. Beyond aviation, for industries such as healthcare, energy, finance – or retail which has seen its own spate of attacks – the Heathrow example shows how resilience can make all the difference.

It is about ensuring critical data can be recovered quickly, systems restored safely, and operations can continue – even when the primary environment is offline, says Anthony Cusimano, director at Object First. “These sectors rely heavily on uninterrupted access to data and operational systems, and even brief outages can have cascading consequences.”

Critical industries are increasingly judged on their ability to operate in “degraded mode” rather than avoiding disruption altogether, says White. “Heathrow demonstrated that business continuity doesn’t have to be perfect. It’s about foresight, rehearsal and the ability to prioritise what must keep going.”

The Hidden Question

Learning from Heathrow’s approach, every board should be questioning how long they could remain operating if their core systems went offline, says Sean Tilley, senior sales director EMEA at 11:11 Systems.

Yet he points to an “uncomfortable truth”: Many organisations haven’t fully stress-tested this scenario and business continuity exercises are often “theoretical or siloed”.

Most organisations quietly assume they could cope “for a while” without a core system, but very few have tested how long this actually is, says White. “The honest question isn’t whether recovery is possible, but how long the business could function without its key platforms – and what the cost would be to customers, safety or compliance.”

Taking this into account, organisations should treat the Heathrow incident as “a case study for resilience planning”, says Ken Prole, executive director of software engineering at Black Duck. He points out that disruption doesn’t only come from cyberattacks: It can also stem from unexpected events such as the CrowdStrike incident that took down systems worldwide in 2024.

With the impact of downtime such as this in mind, he highlights questions that should be asked. For example, says Prole: “Have you identified all the critical dependencies in your operations and conducted a thorough threat model? Do you have a documented playbook outlining the actions to take when one or more dependencies are compromised?”

Incoming Regulation

The need for operational resilience at times of attack is a key part of multiple regulations. In the UK and EU, frameworks such as the network and information systems (NIS2) directive, Digital Operational Resilience Act (DORA) and the UK Cyber Security and Resilience Bill prioritise operational continuity following an incident.

“Compliance will increasingly require organisations to demonstrate resilience through metrics, audits, and proof of tested recovery capabilities,” Tilley says.

Meanwhile, ISO/IEC 27001 sets a baseline for information security management systems, including documented incident response plans (A.5.29), business continuity considerations (A.5.30), and regular testing of plans.

Standards such as this emphasise scenario-based testing under realistic conditions, so organisations can “validate their plans, identify gaps, and build confidence in their ability to respond effectively”, according to Prole.

Another useful resource is NIST Cybersecurity Framework (CSF), which includes five core functions to “identify, protect, detect, respond, and recover”.

In the UK specifically, the National Cyber Security Centre’s Cyber Assessment Framework (CAF) is a tool for essential services and critical national infrastructure.

Board-Level Responsibility

Resilience is now a compliance requirement, and for good reason. Prevention remains vital, but the bigger test is how organisations keep going when the worst happens. Heathrow is a real-world reminder that resilience – when tested, rehearsed, and embedded – is as much a compliance requirement as a security safeguard.

This is important to consider at board level, where responsibility for resilience as well as security now lies, White points out. She thinks firms must “define what level of downtime is tolerable”, understand their operational dependencies and “ensure investment in realistic continuity planning”.

At the same time, regular reviews are needed to adapt to changes in technology, regulation and supply chains, White says. “Resilience should sit alongside financial and legal risk at board level, with clear reporting lines and accountability. The expectation from regulators and stakeholders is that firms can demonstrate readiness, not just intent. If the board only encounters the plan during a real incident, the organisation has already lost control of the narrative.”