EU Agency Confirms Ransomware Attack Behind Major Airport Disruptions

(LONDON) The EU Agency for Cybersecurity confirmed a major ransomware attack that disrupted airport operations across Europe between September 19 and 21, 2025, after a compromise of Collins Aerospace’s MUSE (ARINC cMUSe) software used for passenger processing. ENISA said on September 22 that the attack was ransomware-based and tied to a third-party vendor, with the specific strain identified but kept confidential while law enforcement continues its work. The impact was felt at some of the continent’s busiest hubs, including London Heathrow, Brussels, Berlin Brandenburg, Dublin, and Cork, where hundreds of flights were delayed or canceled and thousands of travelers were left in long lines.

Immediate operational impact

With automated check-in, baggage handling, and boarding systems down, airports fell back to manual methods. Staff handwrote boarding passes and baggage tags and checked passengers in using laptops and iPads.

• At Brussels, nearly 140 outgoing flights were canceled in a single day as crews struggled to keep planes moving.
• At Berlin Brandenburg on September 22, several departure lanes still posted delays of more than an hour while systems were being restored.

Collins Aerospace, part of RTX, acknowledged the cyber-related disruption and said it was in the final stages of bringing affected sites back online, prioritizing the busiest airports.

How the attack spread and why it was so disruptive

According to ENISA, the attack exploited the MUSE (ARINC cMUSe) software — the shared system that allows multiple airlines to use the same check-in and boarding infrastructure. This common-use model helps airports run more efficiently on normal days, but it also created a single point of failure that spread pain quickly when the system went down.

Experts warned this incident shows how digital interdependence can turn a software outage into a real-world disruption, with passengers stranded, crews out of position, and flight schedules in tatters.

“A shared digital backbone can speed travel on good days, yet expose a broad set of airports to the same failure at once.”

Investigation and response

Law enforcement agencies are investigating, and authorities have not named the ransomware strain or any suspected group. ENISA said it is supporting the response and coordinating with national authorities.

• Collins Aerospace reported it was deploying updates and working directly with airport IT teams.
• Restoration was underway by September 22, with some hubs nearing full functionality while others still warned passengers to plan extra time.

A senior analyst at cybersecurity firm Sophos, Rafe Pilling, noted that while big ransomware cases are more visible today, truly large-scale events that affect physical operations remain rare — though that is little comfort to affected travelers and staff.

Passenger experience and practical advice

As airports worked through backlogs, the scene often resembled air travel from decades ago: long queues, paper documents, and manual checks at the counter. Staff tried to keep things moving, but the sudden shift to manual fallback meant slower passenger processing and more last-minute gate changes.

For passengers, the immediate effects were simple and frustrating: delays, cancellations, and confusion about when systems would come back. Airport social media feeds and public address systems urged travelers to arrive early, expect long lines, and keep digital boarding passes ready when possible. Even tech-savvy passengers found that apps and kiosks could not help when the core back-end services were down.

Practical steps passengers can take:
1. Keep government-issued ID and any travel letters within reach for manual verification.
2. Take photos of checked baggage tags and paper boarding passes before heading to security.
3. Use airline apps for real-time gate and schedule changes, but be prepared for gaps if back-end systems are down.
4. If canceled, ask the airline about rebooking options and request written confirmation at the counter.

Policy context and regulatory implications

The ransomware attack spotlights the policy side of airport tech. Third-party risk is now central to aviation resilience.

• Contracts with vendors are likely to be reviewed to include clear cybersecurity clauses, real-time monitoring duties, and faster incident reporting.
• Resilience plans will likely commit airports to maintain and regularly test manual fallback so staff can switch modes without chaos.
• ENISA’s role as coordinator underscores the importance of a shared response framework. For official updates and technical guidance, travelers and industry professionals can consult ENISA.

Experts expect regulators to examine whether current rules are strong enough for systems that serve many airlines at once. Possible policy actions include better segmentation so a single compromised application cannot bring down check-in across multiple terminals, and joint drills simulating cyber outages, including communication dry runs.

What airports and airlines are doing next

While the investigation continues, airport operators are focusing on three main areas:

• Strengthening monitoring of third-party vendors tied to passenger processing tools like MUSE (ARINC cMUSe).
• Building more redundancy so that a digital failure does not escalate into mass cancellations.
• Improving public communications, including simple, timely guidance during manual processing periods.

Cybersecurity specialists emphasize limiting the blast radius when a compromise occurs. That means segmenting systems, testing manual procedures regularly, and agreeing on recovery priorities across large hubs. Collins Aerospace’s phased restoration — prioritizing the busiest airports — reflects such triage.

Key takeaways

• The compromise of a widely used third-party system can produce continent-wide disruption.
• Manual fallbacks prevented a total standstill but revealed vulnerabilities in contingency preparedness.
• Regulatory scrutiny and contractual changes are likely, focusing on third-party risk and resilience testing.
• For travelers: check with your airline before leaving home, build in extra time, carry paper copies of key documents, and follow airport advisories until systems are fully restored.

ENISA’s confirmation and the ongoing law enforcement work show that authorities are treating the incident as a serious threat to critical infrastructure. The sector faces tough questions on vendor oversight, service-level cybersecurity obligations, and how often airports should validate manual backups to avoid similar chaos in future.