Travelers across Europe faced a weekend of chaos as a ransomware attack on Collins Aerospace, a key supplier of aviation systems, led to widespread flight cancellations and delays. The incident, which began late on Friday, September 19, 2025, and spilled into Saturday, left airports in major cities such as London, Berlin, Brussels, and Dublin scrambling to keep operations running as their digital infrastructure buckled under the assault.
According to the European Union’s cybersecurity agency ENISA, the disruption was the direct result of a ransomware attack targeting Collins Aerospace’s ARINC Multi-User System Environment (MUSE) platform. This software is at the heart of electronic check-in and baggage management for many airlines, allowing different carriers to share passenger-facing systems like check-in desks and kiosks. When it went down, staff at affected airports had no choice but to revert to manual procedures—a scenario that quickly led to long lines, missed flights, and mounting frustration for thousands of passengers.
The attack’s impact was immediate and far-reaching. As reported by Computer Weekly, airports like Heathrow, Berlin Brandenburg, Brussels, and Dublin were among the hardest hit. “Work continues to resolve and recover from an outage of a Collins Aerospace airline system that impacted check-in. We apologise to those who have faced delays, but by working together with airlines, the vast majority of flights have continued to operate,” a Heathrow spokesperson said in a statement on Monday, September 22. Passengers were urged to check their flight status before heading to the airport and to arrive no earlier than three hours before long-haul flights or two hours for short-haul journeys.
Despite the scale of the disruption, neither Collins Aerospace nor its parent company, RTX (which also owns aerospace and defense giants Pratt and Whitney and Raytheon), provided details beyond confirming their response to a cyber incident. The precise cause of the breach—and the identity of the attackers—remained a mystery as of Monday. ENISA confirmed only that a “third-party ransomware incident” was to blame and declined to share further information.
The UK’s National Cyber Security Centre (NCSC) quickly mobilized, working alongside Collins Aerospace, affected UK airports, the Department for Transport, and law enforcement to assess the impact and coordinate the response. “All organisations are urged to make use of the NCSC’s free guidance, services and tools to help reduce the chances of a cyber attack and bolster their resilience in the face of online threats,” a spokesperson said.
For many in the cybersecurity community, the attack was a stark reminder of the vulnerabilities inherent in the aviation sector’s reliance on complex digital supply chains. As Jake Moore, global cybersecurity advisor at ESET, told Computer Weekly, “When the supply chain is attacked in the aviation industry, the disruption hits on a damaging global scale. Since the outage stems from a third-party provider for check-in and boarding systems, it shows how a single point of failure can ripple quickly across multiple countries causing widespread problems.” Moore emphasized the need for robust fallback procedures, noting, “Like any industry, airports and airlines must ensure they can fall back on manual or alternative systems smoothly but this is made more difficult with such a preciously managed environment.” He also called on regulators to “tighten standards even more for critical aviation IT suppliers.”
The attack on Collins Aerospace is part of a broader, troubling trend. According to ENISA and echoed by The Hindu, ransomware attacks in the first half of 2025 have already far outpaced those seen in 2024. Cybercriminals appear to be growing more audacious, targeting ever-larger and more visible organizations in pursuit of bigger payoffs and greater notoriety within their circles. Rafe Pilling, Director of Threat Intelligence at Sophos, explained, “The subset of attacks deliberately engineered for maximum disruption, often by Western-based groups, are the outliers, but they are becoming more visible and more ambitious.”
Despite speculation, no ransomware group had publicly claimed responsibility for the Collins Aerospace attack as of September 22, and websites monitoring dark web “leak sites” had not detected any group boasting about the incident. This is notable, as ransomware gangs often publicize attacks and leak stolen data to increase pressure on their victims and enhance their own reputations. The notorious hacking collective Scattered Spider, which was linked to a high-profile attack on British retailer Marks & Spencer earlier this year, was mentioned by experts as an example of the kind of group capable of such disruption, but no direct connection has been established in this case.
The motivations behind these attacks are complex. While financial gain remains the primary driver—ransomware is, after all, a tool for extortion—experts say that reputation and credibility within the cybercriminal underground are increasingly important. As Pilling of Sophos put it, “Their motivation isn't only financial though and pulling off a high-impact breach also brings social standing and credibility within their peer networks.”
Martyn Thomas, Emeritus Professor of IT at Gresham College, London, offered a sobering assessment of the risks. “We have been lucky so far, as the motivation of cyber criminals has been disruption or financial gain. If they were to decide to cause serious injury or many deaths, the same attack strategies could be used on critical systems in healthcare or major infrastructure.”
The attack has also reignited debate over how governments and industries should respond to the growing ransomware threat. The UK government, for example, is considering a ban on ransomware payments by certain organizations, a move that could set a precedent for Europe’s broader response to such incidents. Authorities in the United States recently seized over a million dollars in cryptocurrency assets laundered by the BlackSuit ransomware gang, highlighting the international nature of the fight against cybercrime.
One thing is clear: as the digital backbone of modern air travel becomes ever more intricate, the stakes of cybersecurity failures only rise. The Collins Aerospace incident is a stark warning that even a single compromised supplier can bring a continent’s airports to a standstill. The aviation industry, regulators, and governments now face mounting pressure to harden defenses, develop reliable fallback systems, and rethink their strategies for a world where cyberattacks are not just possible, but increasingly inevitable.
For now, passengers and airlines alike are left to pick up the pieces, hoping that the lessons learned from this weekend’s disruption will help prevent even greater chaos in the future.
