Over the weekend of September 20–22, 2025, Europe’s cybersecurity agency ENISA confirmed that a ransomware attack against Collins Aerospace, a provider of airport check-in and boarding systems, caused significant disruptions at several major airports including London Heathrow, Brussels, and Berlin. The attack disabled automated check-in and baggage drop systems supplied via Collins Aerospace’s MUSE/ARINC cMUSe software, forcing airports to revert to manual processing. Airlines and airports worked to restore functionality, with some systems being patched and updated, though delays and cancellations continued days later. Origin or attribution of the attack remains unconfirmed, and ENISA has not released details on which ransomware strain was used.
Sources: Reuters, Al Jazeera, Business Insider
Key Takeaways
– Dependence on third-party software creates systemic risk — The disruption shows that when critical infrastructure like multiple airports rely on shared check-in and boarding systems (in this case Collins Aerospace’s MUSE or ARINC cMUSe), a successful attack on that service can ripple widely.
– Operational resilience (manual fallback) matters, but isn’t instant — Airports switched to manual check-in and baggage handling procedures, but delays and cancellations continued, underscoring that fallback systems exist but are less efficient and slow to fully compensate.
– Lack of clarity on threat source and technical details heightens uncertainty — ENISA hasn’t publicly confirmed where the attack came from or what exact ransomware strain was used, which makes attribution hard and complicates how governments and private sector can respond or prepare for similar attacks.
In-Depth
Over the weekend in September 2025, a ransomware attack struck a critical node in Europe’s aviation infrastructure, honing in on check-in and boarding systems supplied by Collins Aerospace. ENISA, the EU’s cybersecurity agency, has since confirmed that this was a third-party ransomware incident. What makes this incident especially notable is how broadly the effects were felt—not just at a single airport but across multiple hubs including Heathrow, Brussels, and Berlin. Automated check-in and baggage drop systems, typically taken for granted by passengers, went offline. Airports scrambled, shifting operations back to manual processing with pen, paper, and laptops.
This kind of operational pivot is always costly: delays stack up, cancellations mount, staffing needs spike, and passengers end up bearing the inconvenience. Though some updates and patches have been applied and systems are gradually recovering, disruptions lingered for days. Berlin, for example, reported more than an hour delay on many departures, while Brussels had to cancel dozens of flights.
What remains unclear are some of the most crucial components of the incident: who carried out the attack, where they are based, and what ransomware strain was used. ENISA has so far withheld those specifics, and Collins Aerospace has offered limited detail beyond acknowledging their systems are being worked on.
From a broader perspective, this event sharpens conversations around cybersecurity in critical infrastructure. While there has been awareness of threat vectors (especially ransomware), this incident revisits how much of aviation operations depend on external providers whose systems may not always be under direct control. Strengthening resilience—including more robust backup/manual systems, supply-chain security, faster detection, and clarity in response—will be essential for managing future risks.
For regulators, aviation industry leaders, and governments alike, this is a reminder: when technology fails, every link in the chain matters, and visibility into those links is essential.