On Friday September 19, 2025, Collins Aerospace’s MUSE platform was compromised just before midnight, disrupting major European airports, including London Heathrow Airport, Brussels, and Berlin.
On September 21, the EU Agency for Cybersecurity confirmed that it was a ransomware attack incident. Security researchers identified the malware as a variant of HardBit ransomware, an “incredibly basic” but effective strain known to tie ransom demands to victims’ insurance limits.
As a result of this attack, Brussels airport cancelled 60 flights for Monday, 22 September, and requested reduced capacity by 50%, while Berlin’s systems remained open. There is still widespread travel disruption as a result of the attacks. Interestingly, Collins Aerospace was in the final stages of its necessary software updates.
Key impact for the aviation sector
Collins Aerospace’s MUSE software is used by multiple airlines across many airports to handle check-in, baggage, and boarding. Its software is so widely used by airports and airlines, which highlights both the dominance it has across airlines and the weakest points of the sector.
The attack has revealed that most major airports were not equipped to deal with the widespread disruption and relied upon manual processes when systems went down. The attack also revealed disparities in how prepared they were to respond. For example, Munster Onsabruck Airport was able to quickly switch to self-sufficient systems, demonstrating better resilience. Other airports resorted to using handwritten boarding passes, but these systems were not sufficient to handle the sheer volume of affected passengers. This is unusual because the aviation sector had seen a similar situation occur in July 2025 when CrowdStrike experienced an accidental software failure. Ultimately, the manual processes held up passengers, causing significant delays and disruption to all connected travel.
The World Economic Forum released a report highlighting that 54% of large organisations struggle with achieving cyber resilience due to supply chain challenges. The aviation sector is clearly behind and was not adequately prepared to deal with the attack, stressing the importance for the sector to re-evaluate the technology providers it uses and for airports to implement systems in place to diffuse the impact of a widespread attack.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataThe outcome of the airport attack
Cyberattacks are becoming increasingly prevalent, particularly as attackers are employing more sophisticated methods through the use of AI. This year, major retailers like Marks & Spencer and Co-Op reported attacks, serving as cautionary tales for the aerospace sector; however, it was still not well prepared.
The September 19 attack occurred just before the implementation of the EU’s NIS2 directive, which mandates stronger risk management and reporting for critical infrastructure. The directive brings more sectors under its purview, including data center providers, social media platforms, waste and wastewater management, critical product manufacturers, and public administration.
The incident is likely to be a key case study for how new regulations will be enforced, as it serves as an example of what regulators will look to prevent and diagnose ahead of disruption.
Following the failed initial restoration, Collins Aerospace and its parent company, RTX Corporation, have been working to rebuild affected systems from the ground up. In connection with the attack, a man in his 40s was arrested in West Sussex, which allows security experts to understand how the attack occurred and what systems were used to breach Collins’ software.
Finally, it is still unclear whether any sensitive data was compromised in all the uproar, and neither Collins Aerospace nor RTX has publicly disclosed the scope of any potential data breach.
