European Airports Cyber Attack: ENISA Confirms Third-Party Ransomware

The European aviation sector faced a stark reminder of its digital fragility over the weekend (of September 19- 21, 2025). A “cyber-related” disruption crippled passenger check-in, baggage handling, and boarding systems across several major European airports, including London Heathrow, Brussels, Berlin Brandenburg, Dublin, and Cork. The incident stemmed from a compromise of Collins Aerospace’s MUSE software, a widely used system underpinning critical airport operations.

On Monday, the speculation about “disruptions” was confirmed: a third-party ransomware attack is responsible. This confirmation comes from ENISA, the EU’s cybersecurity agency. Source: Reuters

For thousands of passengers, the result was chaos: flights delayed, cancellations stacking up, and confusion spreading across terminals. For the aviation industry, the attack highlighted something far more serious—how a single third-party vendor compromise can cascade into a continent-wide crisis.

What Happened in the European Airports Cyber Attack?

The disruption began on 19 September 2025 and quickly spread across the weekend of 20–21 September. Airports were forced to fall back on manual operations. Airline staff were handwriting boarding passes and manually checking in passengers.

While Collins Aerospace and its parent company RTX confirmed the disruption was cyber-related, the exact tactics used remain under investigation. The latest development, as of 22 September 2025, is that ENISA has officially said the disruptions were caused by a third-party ransomware incident. 

Key Updates on the Attack:

• The type of ransomware has been identified (though ENISA has not made public which strain it is).
  
  
• Law enforcement is now intricately involved in the investigation.
  
  
• This confirms earlier suspicions that the incident was malicious, rather than purely technical or incidental failure. 
  
  
  

Vulnerabilities in Global Aviation: The Lesson Behind the Attack

Airports and airlines operate within an incredibly complex and interconnected ecosystem. This intricate network involves many players, each with a crucial role. They are all reliant on interconnected systems for seamless operations. This inherent reliance on interconnected systems means that a disruption to one part of the ecosystem can have, and has had, cascading effects throughout. 

The attack has revealed several serious vulnerabilities in the aviation sector such as:  

• Over-Reliance on Vendors: One software provider’s failure created a single point of failure for an entire industry. At Brussels Airport, the impact was especially severe: hundreds of departing flights were asked to cancel or reduce operations, with nearly 140 outgoing flights cancelled on one day when the secure version of the check-in system was not available.
  
  
• Passenger Safety and Trust at Risk: Disruptions caused distress, delays, and reputational damage that may linger long after systems are restored. For instance, during the weekend of Sept 19-21, in several airports, kiosks and bag-drop machines went offline; staff were forced to manually issue boarding passes, process baggage tags, and handle queueing better.
  
  Moreover, ransomware implies not just disruption but potential extortion, data theft, or longer-term damage. The possibility that hackers could demand payment, or threaten release of sensitive data, adds new dimensions to the impact this incident will have on customer trust.
  
  
• Legal, Regulatory & Compliance Exposure: With ENISA involved and law enforcement investigating, there will be legal and regulatory ramifications for all the players involved. Whether regulatory issues arise due to data protection, passenger rights, contract law, every business involved can expect to face compliance and legal pressures. Vendors and airports may be liable if found to have neglected reasonable cybersecurity safeguards.
  
  

How the Attack Unfolded: A Brief Timeline 

Key Learnings for the Aviation Industry

The European Airports Cyber Attack is more than just a temporary disruption—it’s a case study in systemic weaknesses that every aviation executive must take seriously.

1. Third-Party Risk Management:  Vendors providing mission-critical systems must undergo rigorous cybersecurity due diligence and continuous monitoring. SLAs (Service Level Agreements) must have strong cybersecurity clauses, not just performance metrics. Vendors need to guarantee patch management, incident reporting, encryption standards, etc.
   
   
2. Resilience and Redundancy – If there is one thing, this attack has made abundantly clear, it’s that manual fallback systems are vital for the aviation sector. Digital-only dependence is a recipe for disaster as we’ve seen over the weekend.
   
   If one provider’s system fails, having alternate systems or offline/manual fallback must be more than a temporary workaround. When digital systems such as check-in counters, boarding gates, and baggage handling suddenly went offline due to the ransomware incident, operations could only continue because staff reverted to manual processes.
   
   Without paper boarding passes, handwritten baggage tags, and human-led queue management, airports would have been forced into a complete standstill. Manual backups provided a critical safety net that ensured continuity of essential services and prevented total shutdown. They also bought precious time for technical teams to investigate the attack. Manual backups must be an indispensable part of aviation resilience planning. 
   
   
3. Proactive Incident Response – Organisations cannot wait for attribution or ransom notes. Fast, coordinated incident response will ALWAYS minimise impact, regardless of the industry.
   
   For the aviation sector, a robust Incident Response plan and strategy is indispensable. The repercussions of a cyber attack of this scale doesn’t just create business and regulatory impact. Customers are directly impacted and hassled. It is likely to create the type of trust erosion that may take years to recover from.  

How the Aviation Sector Can Prepare Against Future Incidents

This cyber attack underscores a truth we repeat often: it’s not a question of if, but when. Aviation is critical infrastructure, and the stakes are too high to leave cyber resilience to chance. At Cyber Management Alliance, we specialise in helping organisations prepare, test, and strengthen their defences against exactly these kinds of crises.

• Incident Response Preparation: Effective Cyber Incident Response is absolutely critical for any business, from any sector to handle the ripple effects of a cyber attack. With aviation being critical infrastructure, the need for effective response cannot be overstated enough.
  
  As the creators of the NCSC Assured Cyber Incident Planning and Response Training, we are the global experts in helping critical infrastructure businesses prepare a solid response strategy to cyber risks and threats of every nature.   
  
  We specialise in developing and refining robust Incident Response Plans specifically designed for the unique challenges of the aviation and transport sectors. Our comprehensive approach ensures that organisations are well-prepared to handle a wide range of incidents, from minor disruptions to major crises. 
  
  We focus on creating actionable strategies that minimise downtime and protect your most critical assets. Ensuring passenger safety, sensitive information and maintaining regulatory compliance is the focal point of every Incident Response Plan. We also incorporate best practices for communication, coordination with authorities and post-incident recovery, providing a clear roadmap for efficient and effective incident resolution.
  
  
• Cyber Incident Tabletop Exercises:  The concept of rehearsing response plans and crisis management strategies is not lost on the aviation sector. Pilots are regularly put through simulation sessions where they practise for possible disasters in the air. They are expected to rehearse their checklists such that they become a part of their muscle memory.
  
  Cyber Tabletop Exercises achieve just that for anyone dealing with technical systems or responsible for business continuity in the face of a cyber disaster.  Our highly interactive, bespoke scenario-based tabletop drills simulate real-world aviation attacks. They are literally the only way to help your teams practise for disasters before they strike. They are encouraged to think and respond like they would during an actual cyber event. The result is that they know exactly how to respond when the worst happens, mitigating the impact of any cybersecurity incident.
  
  
• Compliance Alignment – In the highly regulated aviation industry, a cyber attack doesn’t just create operational chaos—it can also trigger serious legal and regulatory consequences. Frameworks like EU NIS2, the Digital Operational Resilience Act (DORA), and NCSC guidance mandate strict reporting timelines and regular resilience testing. They expect businesses to have demonstrable cybersecurity governance. Failing to comply can mean heavy fines, loss of stakeholder trust, and reputational damage that lingers long after systems are restored.
  
  CM-Alliance helps aviation businesses navigate this complex compliance landscape with confidence. Our training and consultancy programmes are specifically designed to align your organisation with these global frameworks. We ensure that your Incident Response Plans, Playbooks, and Tabletop Exercises incorporate regulatory requirements. These include but are not limited to mandatory breach reporting under NIS2, ICT third-party risk management under DORA, and the best-practice principles laid out by the NCSC.
  
  By embedding compliance considerations into every stage of your preparedness—planning, testing, and response—we ensure your business isn’t just resilient to cyber threats, but also ready to prove resilience to regulators. This proactive approach reduces the risk of fines and shows investors that your organisation takes cybersecurity and compliance seriously.