EU Cyber Agency Confirms Ransomware Attack Behind Airport Disruptions

Some of Europe’s busiest airports are still facing delays after a ransomware attack crippled critical check-in and boarding systems Friday, 19 September 2025. 

The European Union Agency for Cybersecurity (ENISA) confirmed that criminal hackers used ransomware to disrupt airport operations, forcing airlines to fall back on manual processes. The attack targeted Collins Aerospace’s Muse software, which is widely used for passenger check-in. 

“The type of ransomware has been identified. Law enforcement is involved,” ENISA said in a statement. 

The attack caused chaos across several airports, including London Heathrow, Berlin, and Brussels. 

Heathrow urged passengers to check flight updates before travelling, saying that while most flights were still operating, some passengers faced long waits. By Sunday, about half of its airlines including British Airways, were back online, many using backup systems. 

Brussels Airport cancelled nearly 140 of its 276 outbound flights on Monday, 22 September, with officials saying the timeline for full recovery remained “unclear”. 

At Berlin Airport, some airlines were still boarding passengers manually, with no estimate yet for when systems would be restored. 

Internal crisis memos seen by the BBC revealed more than 1,000 computers may have been compromised, forcing Collins engineers to carry out system rebuilds in person. One memo even noted that after systems were relaunched, hackers were still found to be inside. 

Ransomware attacks are typically launched by organised criminal gangs who demand payment often in bitcoin to unlock systems. While Collins Aerospace has not commented on whether ransom demands were made, the company described the event as a “cyber incident” and said it is in the final stages of implementing fixes. 

The UK’s National Cyber Security Centre confirmed it is working with Collins, affected airports, the Department for Transport and law enforcement to assess the full impact. 

 HardBit ransomware has been identified by researchers as the likely culprit, known for reinfecting systems and negotiating ransom based on cyber insurance coverage. A suspect was arrested in the UK in connection with the attack, though the investigation is still ongoing. 

This latest incident highlights just how vulnerable aviation has become to cybercrime. A recent report from Thales found cyberattacks in the aviation sector have surged by 600% in the past year. 

In April, UK retailer Marks & Spencer revealed a ransomware attack cost it at least £400 million and caused months of disruption, underscoring the financial and operational damage such attacks can cause. 

For now, Europe’s airports continue to recover, with passengers advised to expect delays and cancellations until systems are fully restored.