Millions Affected by Dublin Airport Supplier Cyber Breach Data Exposed

(DUBLIN, IRELAND) Dublin Airport is warning that millions of passengers who flew through the hub in August 2025 may have had parts of their personal information exposed after a ransomware attack struck a key third-party supplier, Collins Aerospace, and its widely used MUSE (Multi-User System Environment) software.

The incident, detected in mid-September and made public in late October, has drawn in Irish and European regulators, triggered airline notifications, and raised urgent questions about how a single vendor compromise can ripple across aviation. While investigators say no passport numbers or payment card details were exposed, data tied to August bookings—names, contact information, travel itineraries, booking references, frequent flyer numbers—was taken, raising the risk of targeted phishing and loyalty account theft. The Collins Aerospace breach also forced several European airports to revert to manual check-in and boarding as systems were taken offline to contain the attack.

Scope and immediate impact

• Dublin Airport processed 3,784,759 passengers in August 2025. Officials say every traveler during that month should treat their data as potentially affected until forensics conclude.
• The Everest ransomware group claimed responsibility and says it accessed about 1.5 million passenger records from systems connected to Collins Aerospace.
  • That figure is lower than Dublin’s August total, but Everest’s listing on the dark web includes booking details and flight data samples.
  • The full dataset remains behind a password and is not publicly available, according to security briefings shared with airlines and airport authorities.
• Immediate priorities are safety, containment, and slowing secondary harms such as scams that often follow a breach of this size.

The focus for authorities and companies now is on containment and protecting passengers from follow-on fraud using the leaked data.

Why a vendor breach can be so disruptive

Collins Aerospace’s MUSE software underpins check-in, boarding, and related functions at roughly 170 airports worldwide. When a core service like MUSE is hit by ransomware, even short outages can force airports into manual processing:

• Staff print passenger lists and check IDs by hand.
• Boarding gates use visual checks and radios instead of scanners.
• Airlines and airports deploy operational workarounds to keep flights moving.

DAA (Dublin Airport Authority) said its own systems were not directly compromised, but the vendor-side outage and data exfiltration forced coordinated responses with airlines and state agencies.

Timeline (key events)

1. Attackers claim exfiltration around September 10–11.
2. Attackers say contact with Collins Aerospace began September 16; no agreement reached.
3. September 18 — Collins Aerospace notified DAA of the breach.
4. September 19 — DAA confirmed boarding pass data tied to August flights had been posted online by cybercriminals.
5. October 7 — Everest posted a public claim on its leak site.
6. October 26–27 — Dublin Airport, several airlines, and European cybersecurity bodies briefed travelers and partners, warning of sophisticated fraud attempts.

What was and was not exposed

• Stolen fields include:
  • Booking references
  • First and last names
  • Frequent flyer numbers
  • Contact data (email addresses, phone numbers)
  • Trip details (flight numbers, itineraries, seat info)
• Confirmed not exposed:
  • National ID or passport numbers
  • Payment card or bank information

This distinction matters: without card data, direct payment fraud is less likely. Instead, attackers are likely to pursue targeted phishing and loyalty-account fraud, using accurate trip details to convince victims to click malicious links or reveal further data.

Operational disruption and staff response

When Collins Aerospace shut down parts of the MUSE environment to contain the breach, airports relying on it:

• Shifted to manual verification at check-in counters and boarding gates.
• Printed hard copies of passenger manifests and seat assignments.
• Relied on radio communications and visual checks to move passengers.

For staff this required calm and training: gate agents matched names on lists with IDs while keeping boarding moving. Airline call centers handled surges of concerned passengers, while security teams rotated credentials and blocked suspicious logins.

Loyalty programs and account takeover risk

Because frequent flyer numbers were in the stolen fields, criminals may attempt to:

• Log into airline accounts, steal miles, or book award tickets.
• Resell stolen award tickets or miles on secondary markets.

Airlines are advising customers to enable two-factor authentication (2FA), reset passwords, and watch for unusual account activity. Some carriers have already locked accounts showing risky login behavior.

Guidance for affected passengers

If you passed through Dublin Airport in August 2025, take these concrete steps:

1. Enable multi-factor authentication on airline and frequent flyer accounts.
2. Change passwords on travel-related accounts; avoid reusing old passwords.
3. Verify messages by going directly to the airline’s app or website rather than clicking links.
4. Treat messages about “urgent rebooking” or “payment verification” with extra caution.
5. Check loyalty balances for strange redemptions or bookings you did not make.
6. Monitor credit reports for unusual activity—even though no card data was exposed.
7. Report suspicious messages to your airline and, if in Ireland, to the Data Protection Commission.

If you believe your personal data is being misused, contact Ireland’s Data Protection Commission for guidance, including how to file a complaint. The DPC’s official site is available here: Data Protection Commission.

Regulators and airport leaders say there is no need to cancel or change trips based solely on the breach. The immediate risk is in inboxes and phones, not at the gate.

Investigation, regulators, and industry response

• Ireland’s Data Protection Commission (DPC) has opened a full investigation and is coordinating with aviation safety and cybersecurity bodies.
• The Irish Aviation Authority and the National Cyber Security Centre have been briefed.
• The European Union Agency for Cybersecurity (ENISA) notes that ransomware targeting supply-chain providers in aviation fits a broader pattern this year.
• Industry analysis (VisaVerge.com) finds attackers increasingly target technology providers to reach many airports and airlines at once, turning a single compromise into a cross-border problem quickly.

Airlines and airports are revisiting vendor contracts, security clauses, and breach-reporting requirements. Some are exploring fallback tools that can run locally or offline if shared platforms fail.

Technical questions under investigation

Forensics teams are prioritizing:

• How attackers first gained access to MUSE-related systems.
• What privileges and lateral access the attackers obtained.
• How long they moved undetected before discovery.

Remediation choices depend on the initial attack vector:
– If a stolen password was used → prioritize multi-factor enforcement and credential hygiene.
– If a software flaw was exploited → prioritize patch management and code review.

Policy and architectural lessons

Aviation is debating structural changes to reduce single points of failure:

• Decentralize critical services so one vendor outage cannot cascade.
• Improve vendor risk assessments and independent audits.
• Implement stronger multi-factor authentication for system access.
• Limit data retention where possible—shorter retention reduces exposure if attackers access records after trips have ended.

European regulators may move toward tighter rules for cybersecurity in aviation infrastructure, similar to other critical sectors. This could lead to mandatory standards, more frequent testing, and clearer reporting timelines.

Human stories and the real-world cost

• A parent received a message with their child’s name and seat number asking to “confirm a meal selection.” The message looked authentic because the details were correct.
• A frequent traveler discovered two award tickets booked out of their account; recovery took hours on the phone and damaged trust.

These examples explain why airports and airlines are urging August passengers to remain vigilant.

Communication and what passengers should expect

Clear, consistent messaging matters. Dublin Airport has emphasized repeatedly that no passport information, payment card details, or financial data were exposed. Airlines echo that message while urging account protections and caution around links.

Authorities also ask passengers not to share screenshots or links to stolen data online, as spreading those details can increase harm.

Final takeaways

• The Collins Aerospace breach demonstrates how a single compromised vendor can create cross-border disruption.
• Passengers should focus on account security: enable 2FA, change passwords, and verify messages via official channels.
• Airports and regulators are likely to push for architectural and contractual changes to reduce vendor-related risks.
• The DPC’s investigation will shape corrective steps and potential penalties, but the immediate priority is protecting passengers from targeted scams.

For now, the practical steps are simple and effective: secure your accounts, ignore suspicious links (even if they include real trip details), and contact your airline via official channels if you suspect fraud. Dublin Airport and partners will continue to share updates as investigations progress.