On Friday 19 September, Collins Aerospace’s MUSE platform was compromised just before midnight, disrupting major European airports, including London Heathrow Airport, Brussels, and Berlin.
On September 21, the EU’s ENISA confirmed the event was a ransomware attack. Security researchers identified the malware as a variant of HardBit ransomware, an “incredibly basic” but effective strain known to tie ransom demands to victims’ insurance limits.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
The UK National Crime Agency said one man has been arrested in relation to the attack, but its investigation is still ongoing. Deputy director Paul Foster, head of the NCA’s National Cyber Crime Unit, said: “Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing. Cybercrime is a persistent global threat that continues to cause significant disruption to the UK.”
According to the latest Cirium data, 217 flights have been cancelled across the three affected airports since Saturday (including both arrivals and departures).
Key impact for the aviation sector
Collins Aerospace’s MUSE software is used by multiple airlines at many airports to handle check-in, baggage, and boarding, highlighting its dominance and the potential weak points of the sector.
The attack revealed that some major airports were not equipped to deal with the widespread disruption digitally, and relied upon manual processes when systems went down. The attack also revealed disparities in how prepared they were to respond. For example, Munster Onsabruck Airport was able to quickly switch to self-sufficient systems, demonstrating better resilience. Other airports resorted to using handwritten boarding passes, but these systems were not sufficient to handle the sheer volume of affected passengers. This is unusual because the aviation sector had seen a similar situation occur in July 2025 when CrowdStrike experienced an accidental software failure. Ultimately, the manual processes held up passengers, causing significant delays and disruption to the connected travel ecosystem.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataThe World Economic Forum released a report highlighting that 54% of large organisations struggle with achieving cyber resilience due to supply chain challenges.
Parts of the aviation sector are clearly behind and were not adequately prepared to deal with the attack, stressing the importance for the sector to re-evaluate the technology providers it uses and for airports to implement systems in place to diffuse the impact of a widespread attack.
The outcome of the airport attack
Cyberattacks are becoming increasingly prevalent, particularly as attackers are employing more sophisticated methods through the use of AI. This year, major UK retailers like Marks & Spencer and Co-operative were attacked, serving as cautionary tales for the aviation sector; however, it was still not well prepared.
The 19 September attack occurred just before the implementation of the EU’s NIS2 directive, which mandates stronger risk management and reporting for critical infrastructure. The directive brings more sectors under its purview, including data center providers, social media platforms, waste and wastewater management, critical product manufacturers, and public administration.
The incident is likely to be a key case study for how new regulations will be enforced, as it serves as an example of what regulators will look to prevent and diagnose ahead of disruption.
Following the failed initial restoration, Collins Aerospace and its parent company, RTX Corporation, have been working to rebuild affected systems from the ground up.
It is still unclear whether any sensitive data was compromised in all the uproar, and neither Collins Aerospace nor RTX has publicly disclosed the scope of any potential data breach.
