Collins Aerospace software breach causes airport disruptions throughout the weekend

Starting from September 19, 2025, operations at several European airports were disrupted by an attack that disabled electronic check-in and baggage drop systems, forcing airports to revert to manual operations and prompting widespread flight delays and cancellations. 

By September 22, the European Union Agency for Cybersecurity (ENISA) confirmed the incident as ransomware-related. Threat actors targeted the ARINC SelfServ cMUSE platform, a common-use passenger processing system deployed at major airports including London Heathrow, Brussels, Berlin Brandenburg, Dublin, and Cork. The company behind this software is Collins Aerospace, a US-based aviation technology provider owned by RTX Corporation.

While Collins Aerospace has not disclosed technical details, the outage impacted shared infrastructure used by multiple airlines. No threat actor has claimed responsibility, and attribution remains pending. The ransomware variant has not been publicly identified, and there is no confirmation of data exfiltration or ransom demands at this time.

Immediate mitigation efforts focused on reverting to manual check-in procedures and encouraging passengers to use online self-service tools. Airports deployed additional staff to assist travelers and maintain throughput. However, manual operations proved insufficient to match normal volumes, and delays persisted through the weekend. Heathrow and other airports issued public guidance urging passengers to verify flight status and arrive early, but recovery timelines remain uncertain.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

This incident is reminiscent of a June 2024 attack on CDK Global, a major software provider for automotive dealerships across North America. In both cases, ransomware actors targeted centralized technology platforms that serve thousands of downstream clients, causing widespread operational disruption without directly breaching the end-user organizations. CDK Global’s outage, attributed to the BlackSuit ransomware group, forced dealerships to revert to manual paperwork and halted sales, financing, and inventory tracking for days. Similarly, the Collins Aerospace breach disabled common-use passenger systems at major airports, grounding flights and forcing manual check-ins.

These events underscore the systemic risk posed by third-party technology providers in high-availability sectors and the urgent need for visibility, segmentation, and contingency planning across shared service environments. The attack on Collins Aerospace did not target airlines directly but disrupted their ability to serve passengers. The reliance on shared platforms like ARINC cMUSE introduces a single point of failure, and the lack of redundancy or segmentation amplified the impact.

This incident reinforces the need for continuous monitoring of vendor systems and contingency planning for service outages. Organizations should treat external platforms as extensions of their own infrastructure and require transparency into incident response capabilities. Service-level agreements should include provisions for cyberattack scenarios, and vendors should demonstrate tested recovery procedures. In this case, the lack of direct control over Collins Aerospace’s systems left airports and airlines dependent on the vendor’s remediation timeline causing financial losses and likely customer attrition.