Husain Parvez
Published on: October 3, 2025
A ransomware attack targeting Collins Aerospace’s MUSE check-in software caused widespread disruption across European airports beginning Friday, with continued delays and flight cancellations reported through the weekend.
The European Union Agency for Cybersecurity (ENISA) confirmed the incident on Monday, stating that “the type of ransomware has been identified. Law enforcement is involved to investigate.” Affected airports included London Heathrow, Brussels Zaventem, Berlin Brandenburg, and others using Collins’ automated check-in systems.
The attack disabled critical airline services, forcing airports to revert to manual boarding processes. Heathrow Airport told Reuters that “airlines across Heathrow have implemented contingencies whilst their supplier Collins Aerospace works to resolve an issue.” By Sunday, about half the airlines operating from Heathrow had restored partial access using backup systems.
The BBC obtained internal crisis memos showing Heathrow staff were instructed to continue manual check-ins while Collins rebuilt infected systems. However, the same memo warned that “more than a thousand computers may have been ‘corrupted’” and cleanup was mostly being done in person due to continued hacker presence within systems.
Brussels Airport canceled more than 130 outbound flights on Monday, while Berlin reported over an hour of delays for many departures. The Berlin Marathon worsened congestion at Brandenburg Airport, with passengers describing the experience as similar to early commercial air travel.
Collins Aerospace, a subsidiary of RTX, said on Monday it was “in the final stages of completing necessary software updates.” The company has not disclosed the exact nature of the ransomware strain, but reports suggest it may be linked to a group using the HardBit variant.
UK police have since arrested a man in his 40s in West Sussex in connection with the attack under the Computer Misuse Act. He has been released on conditional bail pending further investigation.
While ENISA and national agencies continue their inquiry, security experts like Sophos’ Rafe Pilling caution that “disruptive attacks are becoming more visible in Europe, but visibility doesn’t necessarily equal frequency.”
