When Collins Aerospace, the aviation‑software arm of RTX Corp., fell victim to a ransomware breach on Sept 19 2025, airports from Dublin Airport to Heathrow Airport and Brussels Airport were forced into manual check‑in. The European Union Agency for Cybersecurity (ENISA) confirmed the attack on Sept 22, while the UK’s National Crime Agency later arrested a suspect. Spokesperson Graeme McQueen, representing Dublin Airport, and NCA deputy director Paul Foster briefed the press. The Everest ransomware group claimed responsibility.
What happened: the ransomware strike
The intrusion targeted the Multi‑User System Environment (MUSE) platform – a shared check‑in and baggage‑handling suite used by dozens of airlines across Europe. Late Friday night, September 19, 2025, security monitoring flagged abnormal activity on the MUSE network. By early Saturday, the malicious code began encrypting databases, rendering kiosks, bag‑drop machines and boarding‑gate software inoperable.
Within hours, Heathrow, Brussels, Berlin Brandenburg and Dublin airports switched to paper tickets and manual bag tags. Travelers reported queues stretching beyond the terminal exit, and flight‑information screens flickered with “System Unavailable” messages.
- Start date: September 19, 2025 (late night)
- Primary system affected: MUSE passenger processing software
- Airports impacted: Dublin, Heathrow, Brussels, Berlin, Cork
- Estimated passenger disruption: over 150,000 travelers in the first 48 hours
How airports responded
Each airport activated its business‑continuity plan. Dublin Airport’s Terminal 1 kept operating with normal gate assignments, while Terminal 2 relied on staff‑handed boarding passes. Heathrow Airport advised long‑haul passengers to arrive three hours early; staff manually checked IDs and printed boarding documents.
At Brussels Airport, roughly 60 flights were cancelled on Monday, September 22, 2025, leaving a gap of 23 arrivals and 40 departures out of 277 scheduled services. The airport’s spokesperson warned that full restoration could take days.
Berlin’s venture was similar – a handful of flights were delayed, but the airport managed to keep most domestic services running by deploying temporary check‑in desks.
Law enforcement and arrests
On September 24, 2025, the National Crime Agency disclosed that officers had arrested a man in his forties from West Sussex under the Computer Misuse Act. Deputy director Paul Foster said the suspect was released on conditional bail and that the investigation remained in its early stages.
ENISA’s official statement on September 22 linked the outage directly to a ransomware campaign, though it did not name the malware strain. Later, cybersecurity analysts traced the code pattern to the so‑called Everest ransomware group, which bragged on a dark‑web forum about disrupting the European aviation sector.
Industry impact and expert views
Jonathan Hall KC, the UK government’s independent reviewer of terrorism legislation, warned that “state‑sponsored actors have both the motive and the capability to launch a strike of this scale,” but he also acknowledged that sophisticated criminal collectives can achieve similar results.
According to a 2025 industry report, cyber‑attacks on airlines and airports have surged by 600 % year‑over‑year. The MUSE incident underscored how a single point of failure in a shared software environment can cascade across multiple jurisdictions.
RTX Corp., the parent of Collins Aerospace, filed an 8‑K with the U.S. Securities and Exchange Commission on September 24, stating that the breach was contained to customer‑specific networks and that it expected no material impact on its financial condition. The company is working with forensic experts and has notified both U.S. and EU law‑enforcement agencies.
What’s next for aviation cybersecurity
Airlines are scrambling to diversify their check‑in infrastructure, with several carriers already piloting cloud‑based backups of passenger data. ENISA has called for a “sector‑wide risk‑assessment framework” to force providers like Collins Aerospace to adopt zero‑trust architectures.
In the short term, passengers should expect longer processing times at affected hubs and keep an eye on airline communications. Long‑term, regulators may require mandatory cybersecurity certifications for all passenger‑processing software, a move that could reshape the market for vendors like Collins Aerospace.
Frequently Asked Questions
How does the ransomware attack affect travelers at Dublin Airport?
Passengers using Terminal 2 may face manual check‑in and bag‑tagging, meaning queues can be twice as long as usual. Travelers are advised to arrive at least two hours early for short‑haul flights and three hours for long‑haul journeys.
What caused the disruption at Heathrow Airport?
The MUSE platform that handles electronic check‑in and baggage drop was encrypted by ransomware, forcing Heathrow staff to revert to paper tickets and manual bag processing. The airport continues to operate most flights, but processing times are extended.
Who is being investigated for the cyber‑attack?
The UK National Crime Agency has arrested a West Sussex resident on suspicion of Computer Misuse Act violations, though he was released on bail. ENISA and international law‑enforcement agencies are also tracing the responsible group, which appears to be the Everest ransomware syndicate.
Will airlines face financial penalties because of the outage?
So far, RTX Corp. has indicated that the incident will not have a material impact on its financial statements. Individual airlines may incur extra costs for staffing and passenger compensation, but no regulatory fines have been announced yet.
What steps are being taken to prevent a repeat?
ENISA is drafting a sector‑wide cybersecurity framework that will require vendors to implement zero‑trust network architectures and regular penetration testing. Airlines are also exploring redundant, cloud‑based check‑in systems to avoid single‑point failures.
Write a comment