Ransomware attack behind widespread airport disruptions, EU agency says

Source of the attack still not disclosed

The EU’s cybersecurity agency has confirmed that a ransomware attack was responsible for the disruption of automated check-in systems at several major European airports in recent days.

“ENISA is aware of the ongoing disruption of airports’ operations, which were caused by a third-party ransomware incident,” the European Union Agency for Cybersecurity (ENISA) said in a statement.

“At this moment, ENISA cannot share further information regarding the cyberattack.”

The agency did not disclose the source of the attack.

The attack targeted Collins Aerospace, a subsidiary of RTX, and disabled its MUSE passenger processing software. The system is widely used across Europe, allowing multiple airlines to share check-in desks and boarding gates rather than relying on dedicated facilities.

The outage has rippled across some of the continent’s busiest hubs, including London Heathrow, Brussels, Berlin, and Dublin, affecting dozens of flights and thousands of passengers since Friday.

Ongoing chaos at major airports

Collins Aerospace said on Monday it was “working closely with airports to restore full functionality” and had nearly completed updates. Still, disruptions persisted.

At Brussels Airport, one of the hardest hit, authorities asked airlines to cancel half of all scheduled departures on Monday after Collins failed to deliver a secure, updated version of its software in time.

The airport cancelled 50 of 257 departures on Sunday, following 25 cancellations out of 234 flights on Saturday. By Monday, roughly 60 flights out of 550 scheduled arrivals and departures had been scrapped.

Brussels Airport resorted to using iPads and laptops to check passengers in manually.

Heathrow, Europe’s busiest airport, reported that disruption had eased considerably by Sunday.

“Airlines across Heathrow have implemented contingencies whilst their supplier Collins Aerospace works to resolve an issue with their airline check-in systems at airports across the world,” a Heathrow spokesperson told Reuters.

Aviation data firm Cirium confirmed delays at Heathrow were “low.”

By contrast, Berlin Airport reported moderate disruption, worsened by heavy passenger traffic linked to the Berlin Marathon. With check-in systems still down, officials reported delays of more than an hour for some departures.

One passenger described the process as “like the early decades of air travel,” with handwritten boarding passes.

Dublin Airport described the impact as “minimal,” with manual procedures in place.

Several major airlines reported being less affected. EasyJet said its operations were normal on Sunday, while Delta Air Lines relied on a workaround to minimise delays.

United Airlines described the impact as “minor,” with no cancellations.

A rising cybersecurity concern

Experts say the attack is part of a wider trend of ransomware groups targeting high-profile victims.

“Disruptive attacks are becoming more visible in Europe, but visibility doesn’t necessarily equal frequency,” said Rafe Pilling, director of threat intelligence at British cybersecurity firm Sophos.

“Truly large-scale, disruptive attacks that spill into the physical world remain the exception rather than the rule.”

A survey conducted by German industry group Bitkom found ransomware to be the most common form of cyberattack, with one in seven companies admitting to having paid a ransom.

JLR extends production stoppage

Europe has already seen significant cyber incidents this year, attacks on UK retailer Marks & Spencer that triggered losses in the hundreds of millions of pounds and a breach at Jaguar Land Rover (JLR), discovered on 31st August, which halted car production.

JLR announced Tuesday that production at its car plants will not resume until 1st October. This follows an earlier extension date of 24th September.

A spokesperson said: “Today we have informed colleagues, suppliers and partners that we have extended the current pause in production until Wednesday 1 October 2025, following the cyber incident.

“We have made this decision to give clarity for the coming week as we build the timeline for the phased restart of our operations and continue our investigation.

“Our teams continue to work around the clock alongside cybersecurity specialists, the NCSC (National Cyber Security Centre) and law enforcement to ensure we restart in a safe and secure manner.”