The cyberattack targeting Collins Aerospace has triggered significant disruptions across major European airports, revealing critical lessons for the aviation sector and cybersecurity professionals alike. Below is an in-depth analysis from Wiseman Cybersec’s perspective, examining the incident, its operational fallout, and what it means for enterprise resilience in transport infrastructure.
Incident Overview
On September 19, 2025, Collins Aerospace, a crucial provider of check-in and boarding system software known as MUSE, was struck by a sophisticated ransomware attack. The incident swiftly took digital check-in and baggage drop-off systems offline at flagship locations such as London Heathrow, Brussels, Berlin, Dublin, and Cork airports. The attack was confirmed by ENISA, the European Union Agency for Cybersecurity, as ransomware-driven via Collins Aerospace’s third-party network, affecting hundreds of flights and leaving airlines reliant on manual procedures.
Operational Disruption and Response
- Heathrow Airport faced delays and cancellations, deploying extra ground staff and reverting to pen-and-paper check-ins. Other airports like Brussels, Berlin, Dublin, and Cork saw disruptions ranging from hour-long delays to dozens of cancelled flights.
- Manual fallbacks—iPads, handwritten boarding passes, and increased staff—kept most flights running but were unable to match the scale and speed of automated operations.
- Collins Aerospace began restoring systems over the weekend. By September 22, they were close to completing core updates, while forecasting that manual operations could continue for at least another week.
Investigation and Attribution
The UK’s National Crime Agency (NCA), partnering with other European agencies, arrested a suspect in West Sussex shortly after the attack, citing Computer Misuse Act offences. As of press time, the group responsible remains publicly unidentified, with authorities not confirming any ransom payment or data breach affecting passenger personal information. Notably, this attack followed prior ransomware incidents at Collins Aerospace, reflecting persistent threats to aviation supply chains.
Sector Vulnerabilities and Escalation
Wiseman Cybersec highlights several key concerns:
- Single points of failure: Centralised, networked systems like MUSE allow an attack to ripple across multiple airports simultaneously.
- Ineffective offline processes: The fallback to manual check-in exposed inadequacies in contingency protocols for servicing modern passenger volumes.
- Cascading supply-chain impact: Reliance on third-party vendors magnifies risk, as seen here and in other cyber incidents like the July 2024 CrowdStrike sensor outage, which paralysed global aviation temporarily.
Industry data supports the escalation: Aviation sector cyber-attacks spiked by 600% year-on-year in June 2025, underscoring a growing threat landscape driven by ransomware, evolving attack tools, and sophisticated threat actor tradecraft.
Lessons and Recommendations
For Airport Operators
- Review reliance on shared systems and establish redundancy for core operations, such as alternative check-in and boarding solutions.
- Conduct routine tabletop exercises for ransomware and infrastructure outages, ensuring manual processes remain practised and scalable.
- Collaborate with vendors to enforce rapid patching, regular network segmentation, and secure communications.
For Technology Providers
- Harden third-party integrations and conduct deep audits for backdoors from prior breaches.
- Mandate incident response playbooks for enterprise customers and provide real-time system health transparency.
- Share intelligence and response strategies with international aviation and cybersecurity bodies to limit cross-jurisdictional risk.
For CISOs and IT Administrators
- Monitor threat intelligence for ransomware group activity targeting transportation and coordinate with law enforcement on patterns and proactive defence.
- Deploy multifactor authentication, monitoring, and endpoint protection across all connected assets, prioritising aviation-critical environments.
- Prepare for regulatory fallout as oversight tightens around supply-chain cybersecurity and public safety assurance.
Conclusion
The Collins Aerospace cyberattack demonstrates the profound vulnerability of modern transport infrastructure to targeted, ransomware-driven threat campaigns. For aviation and cybersecurity leaders, the incident is a wake-up call: resilience must balance technological sophistication with operational simplicity, redundancy, and robust human processes. Wiseman Cybersec urges the industry to treat every incident as an opportunity to elevate standards, reduce risk, and protect the continuity of critical services on which millions depend daily.
