Cyberattack Disrupts Operations at Major European Airports
A ransomware cyberattack targeting Collins Aerospace’s check-in software disrupted operations at major European airports beginning September 19, 2025, causing widespread flight delays, cancellations, and manual processing across the continent.
A major cyberattack struck several of Europe’s busiest airports starting on September 19, 2025, crippling electronic check-in and baggage systems and forcing thousands of passengers and airline staff into chaos. The incident, confirmed by the EU’s cybersecurity agency ENISA, was traced to a third-party ransomware attack on Collins Aerospace’s MUSE software, a critical system used for passenger check-in, boarding, and baggage handling at airports including London Heathrow, Brussels, Berlin Brandenburg, Dublin, and Cork. The disruption rapidly spread over the weekend, with airports forced to revert to manual operations such as handwriting boarding passes and manually checking in passengers, resulting in significant delays and cancellations.
Scope and Impact of the Attack
Brussels Airport emerged as the hardest hit, asking airlines to cancel nearly 140 departing flights on Monday, September 22, due to the inability of Collins Aerospace to deliver a secure version of its check-in system. Over the weekend, Brussels saw 25 outbound flights canceled on Saturday and 50 on Sunday, with manual check-in remaining the only option for many travelers. London Heathrow and Berlin Brandenburg also experienced severe disruptions, though by Sunday, operations at these airports had begun to recover, with most flights resuming but some delays persisting due to ongoing manual procedures. Dublin Airport warned passengers of longer wait times at Terminal 2, where airlines continued to use manual workarounds for bag tags and boarding passes.
The attack exposed the aviation sector’s vulnerability to third-party software compromises, as the interconnected nature of airport operations meant that a single point of failure cascaded into a continent-wide crisis. While self-service kiosks and online check-in remained operational at some locations, the reliance on Collins Aerospace’s systems for core functions left many airports scrambling to deploy backup laptops and extra staff to maintain departures. According to airport spokespeople, the cyberattack affected only computer systems at check-in desks, not self-service kiosks, allowing some continuity in operations.
Response and Ongoing Disruption
Collins Aerospace, a subsidiary of RTX Corp., confirmed the cyber-related disruption but has not disclosed the specific tactics used in the attack, which remains under investigation. The company stated on Monday that it was in the final stages of completing necessary updates to rectify the issue, but as of September 22, many airports were still experiencing delays and cancellations. The European Commission reported that aviation safety and air traffic control were unaffected, and there was no indication of a widespread or severe attack beyond the targeted check-in systems.
Airports and airlines advised passengers to check flight statuses before traveling and to use online check-in and self bag drop services where possible. Messages on airport websites urged travelers to arrive only if their flights were confirmed and to allow extra time for manual processing. The Berlin Marathon added to passenger congestion at Berlin Brandenburg, compounding delays. Despite the disruption, most airports managed to maintain a majority of scheduled departures, thanks to alternative backup systems and the deployment of additional staff.
Systemic Vulnerabilities and Industry Lessons
The incident has highlighted serious systemic weaknesses in the aviation sector’s digital infrastructure, particularly the risks posed by reliance on third-party vendors for critical operations. Experts warn that the attack is a stark reminder of the need for robust cyber resilience and contingency planning in aviation, as the stakes for critical infrastructure are too high to leave defenses to chance. The identity of the attackers remains unknown, with speculation ranging from criminal organizations to state actors, but the event has prompted urgent calls for improved cybersecurity measures and greater scrutiny of supply chain vulnerabilities across the industry.