Thousands of travelers across Europe found themselves stranded or delayed this past weekend after a major ransomware attack crippled check-in and boarding systems at some of the continent’s busiest airports. The culprit? A cyber assault on Muse, the passenger processing software provided by Collins Aerospace, an American aviation technology giant owned by RTX (formerly Raytheon Technologies). The attack, which began late Friday night, September 19, 2025, sent shockwaves through the aviation industry and exposed the vulnerabilities of critical infrastructure that keeps global air travel running smoothly.
According to the European Union Agency for Cybersecurity (ENISA), the disruption began when a third-party ransomware incident hit Collins Aerospace’s Muse system—a platform that supports check-in, boarding, and baggage solutions for airlines worldwide. The impact was immediate and severe: airports including London Heathrow, Berlin Brandenburg, Brussels, and even Dublin were forced to abandon automated systems in favor of slow, manual processes. Long queues snaked through terminals, and thousands of passengers were left waiting for hours or scrambling for answers as flights were delayed or outright canceled.
ENISA confirmed on Monday, September 22, 2025, that the type of ransomware had been identified and that law enforcement agencies were actively investigating the attack. “ENISA is aware of the ongoing disruption of airports’ operations, which were caused by third-party ransomware incident. At this moment, ENISA cannot share further information regarding the cyberattack,” the agency told TechCrunch in an emailed statement. The agency’s confirmation was echoed by other authorities and news outlets, including the BBC and Reuters, which reported that the incident had forced airport staff to rely on manual or backup systems for check-in and boarding throughout the weekend.
Collins Aerospace, for its part, remained publicly cautious in its statements. “We have become aware of a cyber-related disruption to our Muse software in select airports. We are actively working to resolve the issue and restore full functionality to our customers as quickly as possible,” RTX said in a statement, as reported by Security Affairs and Bloomberg. The company added, “The impact is limited to electronic customer check-in and baggage drop and can be mitigated with manual check-in operations. We will share more details as they are available.”
The Muse software is particularly significant because it allows multiple airlines to share check-in desks and boarding gate positions at an airport, rather than requiring each airline to have its own dedicated infrastructure. This shared approach increases efficiency and flexibility—but, as the events of the weekend demonstrated, it also means that a single point of failure can ripple out across multiple carriers and terminals simultaneously.
At the height of the disruption, airport staff at Heathrow, Berlin, Brussels, and Dublin were urged to use manual workarounds to check in and board passengers. Internal crisis communications seen by the BBC revealed that over a thousand computers may have been “corrupted,” with much of the recovery work having to be done in person rather than remotely. In a memo to Heathrow staff, airlines were advised not to turn off computers or log out of the Muse software if they were already logged in, reflecting concerns that hackers might still have access to compromised systems.
The fallout was felt unevenly across Europe. By Sunday, September 21, some improvement was seen as about half the airlines at Heathrow had managed to get back online using backup systems, including British Airways. However, Brussels Airport remained in the grip of the crisis, canceling nearly 140 of its 276 scheduled outbound flights for Monday, September 22, according to the Associated Press. Ihsane Lekhli, a spokesperson for Brussels Airport, told Bloomberg, “It is not yet clear when we will be able to switch back to the normal check-in and boarding system.” The airport encouraged passengers to check in online in advance, as in-person systems were still unreliable.
The Berlin Brandenburg Airport faced a double whammy: not only did the cyberattack disrupt its operations, but the timing coincided with the Berlin Marathon, leading to particularly high passenger volumes and ongoing delays well into Monday. Other airports were gradually returning to normal, though the recovery was described as “uneven” by multiple sources.
While the precise identity of the attackers remains unknown, ENISA and other authorities have indicated that organized criminal gangs are likely responsible. Ransomware attacks typically involve hackers encrypting a victim’s files and then demanding a ransom—often in bitcoin—to unlock the data. “The type of ransomware has been identified. Law enforcement is involved to investigate,” ENISA said in its statement to Reuters. The BBC noted that ransomware attacks have surged by 600% in the aviation sector over the past year, citing a June report from French aerospace company Thales. These attacks have targeted not only airlines and airports, but also critical navigation systems and other services, demonstrating the growing sophistication and ambition of cybercriminals.
In the wake of the incident, the UK’s National Cyber Security Centre (NCSC) issued a statement emphasizing its ongoing collaboration with Collins Aerospace, affected UK airports, the Department for Transport, and law enforcement agencies to fully understand the impact of the attack. “All organisations are urged to make use of the NCSC’s free guidance, services and tools to help reduce the chances of a cyber attack and bolster their resilience in the face of online threats,” a spokesperson said, as reported by the BBC and other outlets.
Collins Aerospace confirmed on Monday morning that it was in the final stages of completing software updates to restore service following the cyberattack. However, the company declined to comment on internal memos or the specifics of the recovery process. The incident has underscored just how reliant airlines and airports have become on a handful of technology providers—and how a single breach can have continent-wide consequences for travelers and the aviation industry alike.
For many passengers, the weekend’s events were a frustrating reminder of the unpredictability of modern travel. Yet for industry insiders, the attack served as a wake-up call: as digital systems become ever more central to aviation, the need for robust cybersecurity and contingency planning has never been more urgent. With ransomware attacks on the rise and criminals emboldened by lucrative payouts, the aviation sector faces a daunting challenge in defending itself against future threats.
As airports and airlines work to restore normalcy, the broader lesson is clear—cybersecurity is no longer a back-office concern, but a frontline issue with real-world consequences for millions of travelers. The events of this weekend may soon fade from memory for those who made their flights, but for the industry, the warning couldn’t be louder.