European Airports Cyber Attack: ENISA Confirms Third-Party Ransomware

The European aviation sector faced a stark reminder of its digital fragility over the weekend (of September 19- 21, 2025). A “cyber-related” disruption crippled passenger check-in, baggage handling, and boarding systems across several major European airports, including London Heathrow, Brussels, Berlin Brandenburg, Dublin, and Cork. The incident stemmed from a compromise of Collins Aerospace’s MUSE software, a widely used system underpinning critical airport operations.

On Monday, the speculation about “disruptions” was confirmed: a third-party ransomware attack is responsible. This confirmation comes from ENISA, the EU’s cybersecurity agency. Source: Reuters

For thousands of passengers, the result was chaos: flights delayed, cancellations stacking up, and confusion spreading across terminals. For the aviation industry, the attack highlighted something far more serious—how a single third-party vendor compromise can cascade into a continent-wide crisis.

What Happened in the European Airports Cyber Attack?

The disruption began on 19 September 2025 and quickly spread across the weekend of 20–21 September. Airports were forced to fall back on manual operations. Airline staff were handwriting boarding passes and manually checking in passengers.

While Collins Aerospace and its parent company RTX confirmed the disruption was cyber-related, the exact tactics used remain under investigation. The latest development, as of 22 September 2025, is that ENISA has officially said the disruptions were caused by a third-party ransomware incident. 

Key Updates on the Attack:

• The type of ransomware has been identified (though ENISA has not made public which strain it is).
• Law enforcement is now intricately involved in the investigation.
• This confirms earlier suspicions that the incident was malicious, rather than purely technical or incidental failure. 

  

Vulnerabilities in Global Aviation: The Lesson Behind the Attack

Airports and airlines operate within an incredibly complex and interconnected ecosystem. This intricate network involves many players, each with a crucial role. They are all reliant on interconnected systems for seamless operations. This inherent reliance on interconnected systems means that a disruption to one part of the ecosystem can have, and has had, cascading effects throughout. 

The attack has revealed several serious vulnerabilities in the aviation sector such as:  

• Over-Reliance on Vendors: One software provider’s failure created a single point of failure for an entire industry. At Brussels Airport, the impact was especially severe: hundreds of departing flights were asked to cancel or reduce operations, with nearly 140 outgoing flights cancelled on one day when the secure version of the check-in system was not available.
• Passenger Safety and Trust at Risk: Disruptions caused distress, delays, and reputational damage that may linger long after systems are restored. For instance, during the weekend of Sept 19-21, in several airports, kiosks and bag-drop machines went offline; staff were forced to manually issue boarding passes, process baggage tags, and handle queueing better.

  Moreover, ransomware implies not just disruption but potential extortion, data theft, or longer-term damage. The possibility that hackers could demand payment, or threaten release of sensitive data, adds new dimensions to the impact this incident will have on customer trust.

• Legal, Regulatory & Compliance Exposure: With ENISA involved and law enforcement investigating, there will be legal and regulatory ramifications for all the players involved. Whether regulatory issues arise due to data protection, passenger rights, contract law, every business involved can expect to face compliance and legal pressures. Vendors and airports may be liable if found to have neglected reasonable cybersecurity safeguards.

How the Attack Unfolded: A Brief Timeline 

Key Learnings for the Aviation Industry

The European Airports Cyber Attack is more than just a temporary disruption—it’s a case study in systemic weaknesses that every aviation executive must take seriously.

1. Third-Party Risk Management:  Vendors providing mission-critical systems must undergo rigorous cybersecurity due diligence and continuous monitoring. SLAs (Service Level Agreements) must have strong cybersecurity clauses, not just performance metrics. Vendors need to guarantee patch management, incident reporting, encryption standards, etc.
2. Resilience and Redundancy – If there is one thing, this attack has made abundantly clear, it’s that manual fallback systems are vital for the aviation sector. Digital-only dependence is a recipe for disaster as we’ve seen over the weekend. If one provider’s system fails, having alternate systems or offline/manual fallback must be more than a temporary workaround. When digital systems such as check-in counters, boarding gates, and baggage handling suddenly went offline due to the ransomware incident, operations could only continue because staff reverted to manual processes.

   Without paper boarding passes, handwritten baggage tags, and human-led queue management, airports would have been forced into a complete standstill. Manual backups provided a critical safety net that ensured continuity of essential services and prevented total shutdown. They also bought precious time for technical teams to investigate the attack. Manual backups must be an indispensable part of aviation resilience planning.