Would Your Business Be Back to Pen & Paper if a Critical Supplier Failed for 3 Days? Lessons from the Brussels Airport Cyber Attack

On Saturday, 20th September 2025, I woke up to read a message from a family member who was travelling out of Brussels Airport heading to Hong Kong.

• First message:

  “There are unknow delays. I’ve never seen it so busy here.”

• Later, another message:

  “Just found out it’s because of a cyber attack on one of their suppliers.”

• A few hours on:

  “They’re doing everything by paper and pen here.”

• And finally, hours later another message:

  “It took me two and half hours just to through check-in. After that, security and border control were a breeze.”

That was the beginning of their journey.

What started as confusion turned into three days of major disruption with one report confirming it’s now into it’s ‘third black day’ at the time of writing this blog post, with flights cancelled, queues still long with frustrated passengers, and investigations continue to the cause of the system disruption to MUSE self check-in software (Multi-User System Environment). A system that assists passengers with self check-in and prints luggage tags and boarding passes.

The Human Side of Supplier Failures

From the family member’s perspective, it wasn’t about ransomware or IT systems. It was about standing in a line for hours, watching staff juggle paper forms, and the stress of not knowing if they would make their flight that has a connecting a flight at the other end.

That’s what happens when suppliers fail, regardless of the cause its people who feel it first.

Passengers face delays and anxiety.

Staff are overwhelmed, reverting to outdated workarounds.

Businesses scramble to protect their reputation while lacking answers.

What if this was your business?

What lessons any business should draw from this:

• When 25 departures and 13 arrivals are cancelled in a single day, that causes ripple effects. Flights get delayed, crews are re-scheduled, and passengers miss connections.

• Asking to cancel half of scheduled departures means the situation is expected to persist and cause not just hours, but days of disruption. (*On Sunday, Brussels Airport asked airlines to cancel half of Monday’s scheduled departures, reflecting how serious the impact has been.)

• According to The Brussels Times, 85% of departures still going shows mitigation is possible, but the cost is high due to manual work, confusion, and passengers having to wait.

It’s easy to dismiss this as “just an airport problem, it won’t happen to me.” But picture this and swap the airline check-in system with your one of your own critical systems or processes. On Day 1, you are hearing rumours that your supplier had a cyber security breach. By Day 2, you are having to switch to manual processes because you still don’t know what’s happening and are confused. By Day 3, you are cancelling large chunks of your business operations or having to do more improvisions to sustain the business.

• What if your payroll provider was offline for three days?

• What if a service or booking platform widely-used in your industry, including by your company, went down before a peak sales weekend? For example customers couldn’t book in for hair appointments?

• What if your supplier of customer data services couldn’t provide updated (real-time) information?

Would your business still be able to run or would you be left scrambling to improvise, just like those airport staff with pens and paper?

That was Brussels Airport, and your business could be next if contracts aren’t built for this.

The Role of Supplier Contracts

The real protection doesn’t come on the day of the crisis. It comes months and even years earlier, when supplier contracts are negotiated and reviewed regularly.

Here are some contractual and operational considerations:

• Notification and Transparency Clauses that Account for the Unknown

  Immediate incident notification for both security incidents and privacy data breaches, even if the full picture isn’t known. Regular status updates are essential.

• Fallback / Manual Workaround Requirements

  Be explicit about what happens if electronic systems fail.

  Do you have a continuity plan in place for your business? - testing alternative situations like supply chain failures and including privacy breaches (internal and external), not desperate improvisations.

  Do you have manual processing plans in place, and are staff trained and equipment ready?

• Cooperation clauses

  Suppliers must support you with regulator reporting and customer communications.

• Communication Plans for Employees, Customers, and Regulators

  When things go sideways, the emotional impact of not knowing (why the delay, how long it will last, whether data was compromised) damages trust. Contracts and internal plans should cover who communicates what, when.

• Regular Reviews and Refresh of Contracts

  Since supplier systems evolve, cyber threats change, and even the legal/regulatory environment can change too, contracts should be revisited at least annually, and definitely at renewal or when a supplier changes major systems.

The above are just a few ways to avoid or reduce the kind of disruption Brussel’s airport experienced.

Planning for Long Disruptions

Most businesses prepare for outages measured in hours, not days. But Brussels shows us three truths:

• Suppliers can go down for much longer than you expect.

• Not knowing the full cause increases anxiety for everyone involved.

• If you don’t plan for “days” your fallback is pen and paper.

The Leadership Takeaways

You can’t control or prevent every supplier breach. But you can control how much disruption it causes your business.

If your contracts don’t cover notification, security and privacy expectations, and cooperation, your customers and your staff will feel the same as those passengers in Brussels:

• waiting for hours at check-in;

• feeling confused and powerless not knowing if they will make their flight, arrive in time for a connecting flight or lose money, and

• frustrated with the manual check-in process.

Resilient contracts and tested plans don’t just protect systems, they protect people from stress, uncertainty, and against the erosion of trust in your business. It’s an emotional journey for everyone. Contracts, plans, and risk reviews are not just about costs, they are really about avoiding those moments of human stress.

Preparation today means you don’t have to hear from your team or your clients/customers:

“We’ve never seen it this bad. They’ve gone back to pen and paper.”