Europewide Airport Outage: Ransomware Hits Check In Systems

September 22, 2025

A ransomware attack on a third‑party provider of passenger processing software disrupted check‑in and baggage‑drop systems at several major European airports over a weekend, forcing manual workarounds, triggering flight cancellations and delays, and drawing intervention from national cyber authorities and ENISA. The incident highlighted the systemic risk posed by widely used vendor platforms and the operational fragility of tightly coupled airport ecosystems.

What happened

On Friday night a cyber incident targeting MUSE, the passenger‑processing software from Collins Aerospace (owned by RTX), left electronic check‑in and baggage‑drop systems inoperable at multiple airports. Collins Aerospace confirmed a “cyber‑related disruption” to its software in select airports and said the impact could be mitigated through manual check‑in procedures while it worked to restore services. The European Union agency ENISA subsequently confirmed the outage was caused by a third‑party ransomware incident and said the ransomware type had been identified and law enforcement was investigating.

Airports affected and scale

Reportedly affected airports included London Heathrow, Berlin Brandenburg, Brussels, Dublin and Cork; Heathrow, Berlin and Brussels accounted for at least 29 cancelled departures and arrivals by 11:30 GMT on Saturday, according to aviation data provider Cirium. On that Saturday 651 departures had been scheduled from Heathrow, 228 from Brussels and 226 from Berlin. Brussels reported four diversions and asked airlines to cut departing flights by half the following day to avoid long queues, signalling disruption would continue into the weekend. Dublin temporarily evacuated Terminal 2 over a baggage concern; the terminal later reopened but the airport warned of lingering minor disruption.

Passenger experience and airline responses

Passengers faced long queues, uncertainty and manual processing at check‑in and bag drop. Airports advised travellers to confirm flight status with their airline before heading to the airport and to allow extra time for manual procedures. Responses from carriers varied: EasyJet said it expected minimal disruption and was operating normally; Delta and United reported only minor impacts and workarounds; Ryanair and IAG did not immediately comment.

Attribution, context and investigations

No individual or group had publicly claimed responsibility at the time of reporting, and there were no confirmed reports of data theft. ENISA’s public statement identified the cause as ransomware at a third‑party provider and confirmed law enforcement involvement. Security observers noted that sweeping outages of this kind can stem from ransomware, deliberate sabotage or credential compromise, and emphasised how vendor interdependence can amplify effects across multiple airports. Collins Aerospace has been referenced in breach‑tracking reporting previously, but RTX did not provide historical details in its statements about the current incident.

Which airports were not affected

Frankfurt, Zurich and Paris area airports (Charles de Gaulle, Orly and Le Bourget) publicly reported no disruption, indicating the outage was not uniformly continent‑wide.

Operational implications and lessons

The incident underlined the fragile, interdependent nature of the digital systems that underpin air travel: a single vendor outage cascaded into cancellations, diversions and manual contingency operations across several hubs. Recovery required staged restorations, manual fallback procedures and close coordination between airports, airlines, the vendor and national cyber authorities. The event reinforced calls for stronger third‑party vendor resilience, tested manual contingencies, clearer incident reporting and improved segmentation between passenger‑facing IT and operational systems.

Authorities and next steps

National cyber authorities in the UK, Germany and elsewhere engaged with affected airports, ENISA issued guidance and law enforcement carried out investigations. Collins Aerospace and RTX continued remediation efforts while forensic analysis and root‑cause work progressed. Passengers were advised to monitor airline communications for updates as restoration continued.