Travelers across Europe faced a chaotic weekend and a turbulent start to the week as a ransomware cyberattack crippled check-in systems at several of the continent’s busiest airports. The disruption, which began late Friday, September 19, 2025, sent ripples through airports in Brussels, Berlin, London, and Dublin—leaving passengers stranded, flights canceled, and airport staff scrambling to keep operations afloat with old-school, manual workarounds.
According to the European Union Agency for Cybersecurity (ENISA), the attack targeted a third-party provider’s systems—specifically, the check-in and boarding software developed by Collins Aerospace, a U.S.-based company owned by RTX. ENISA confirmed on Monday, September 22, that the incident was caused by ransomware, a type of malicious software that locks data and demands payment for its release. Law enforcement agencies across Europe quickly became involved, launching investigations into the origins and perpetrators behind the attack. "The type of ransomware has been identified. Law enforcement is involved to investigate," ENISA stated, though the agency stopped short of naming the specific strain or its source.
The fallout was felt most acutely at Brussels Airport, which appeared to bear the brunt of the disruption. Over the weekend, the airport had to cancel 25 outbound flights on Saturday and 50 on Sunday. By Monday, the situation had worsened: Brussels Airport asked airlines to cancel nearly 140 departing flights scheduled for that day, citing the ongoing inability of Collins Aerospace to deliver a secure, restored version of their check-in system. In total, at least 40 of 277 departing flights and 23 of 277 arriving flights were canceled on Monday alone, according to airport spokesperson Ihsane Chioua Lekhli. "It is not yet clear when we will be able to switch back to the normal check-in and boarding system," she admitted in an email to the press.
Despite these hurdles, Brussels Airport managed to keep 85% of scheduled departures running over the weekend by deploying extra staff and relying heavily on self-service bag drop and online check-in options. The cyberattack only affected the computer systems at check-in desks, leaving self-service kiosks and online check-in platforms operational. Passengers, however, were advised to double-check their flight status before heading to the airport and to use alternative check-in methods wherever possible. In some cases, airline staff resorted to handwriting boarding passes or using backup laptops and iPads to process passengers—a throwback that one traveler described as reminiscent of "the early decades of commercial air travel."
The disruption was not limited to Belgium. Berlin’s Brandenburg Airport, already bustling with increased traffic due to the Berlin Marathon on Sunday, September 21, struggled to restore its check-in systems by Monday. Departure delays of over an hour were reported, and the airport displayed a banner on its website warning passengers of longer waiting times at check-in. Nevertheless, the airport said it had managed to keep operations "largely stable," with most delays kept under an hour, and encouraged travelers to use online check-in and self-service kiosks to minimize inconvenience.
London’s Heathrow Airport, the busiest in Europe, also experienced technical issues stemming from the attack on its third-party supplier. However, by Monday, the vast majority of flights at Heathrow were operating as normal, with only minor delays reported for some flights during check-in and boarding. A Heathrow spokesperson told the press, "The vast majority of flights at Heathrow are operating as normal, although check-in and boarding for some flights may take slightly longer than usual."
Dublin Airport, meanwhile, reported only minimal impact. Some airlines continued to use manual workarounds on Monday, leading to longer bag drop times, but there were no flight delays or cancellations attributed to the ransomware attack, according to airport spokesman Graeme McQueen.
Collins Aerospace, the company at the epicenter of the crisis, acknowledged the "cyber-related disruption" to its MUSE software, which is used by about 300 airlines at 100 airports worldwide. In a statement released over the weekend, Collins said, "We have become aware of a cyber-related disruption to our MUSE software in select airports." The company emphasized that the impact was "limited to electronic customer check-in and baggage drop and can be mitigated with manual check-in operations." RTX, the parent company of Collins Aerospace, did not immediately respond to multiple requests for comment from several news organizations.
The European Commission sought to reassure the public, confirming that aviation safety and air traffic control systems were unaffected by the attack. "There was currently no indication of a widespread or severe attack, while the origin of the incident remained under investigation," the Commission said in a statement. Nevertheless, the incident underscored the growing risks that ransomware and other cyberattacks pose to critical infrastructure across Europe.
Cybersecurity experts weighed in, noting that while disruptive attacks on high-profile targets like airports are becoming more visible, they remain relatively rare. Rafe Pilling, director of threat intelligence at British cybersecurity firm Sophos, told Reuters, "Disruptive attacks are becoming more visible in Europe, but visibility doesn’t necessarily equal frequency. Truly large-scale, disruptive attacks that spill into the physical world remain the exception rather than the rule."
The financial impact of ransomware attacks is also mounting. A recent survey by German industry group Bitkom, which polled about 1,000 companies, found that ransomware was the most common form of cyberattack, with one in seven companies admitting to having paid a ransom to regain access to their data. The group reported that ransom payments had reached a record high of 202 billion euros ($238 billion) in 2025—a stark reminder of the lucrative business model driving these attacks.
The recent airport cyberattack is just the latest in a string of incidents targeting major institutions. Last December, a cyberattack on Japan Airlines caused widespread delays, and in June, Columbia University was forced to shut down its computer systems after a hacktivist breach. As digital systems become ever more integral to the daily operations of airports and other critical infrastructure, the stakes—and the risks—continue to climb.
For now, European airports, airlines, and their passengers are left grappling with the aftermath of a digital attack that brought an industry reliant on speed and efficiency back to the era of paper and patience. While most flights are resuming and systems are inching toward normalcy, the episode serves as a stark warning: the front lines of aviation security now extend far beyond the tarmac, deep into the digital realm.
