Major cyberattack on Collins Aerospace disrupts european airport operations

A cyberattack targeted Collins Aerospace on Friday night, September 19, 2025, causing widespread disruption across major European airports and forcing significant delays and cancellations. 

The incident affected the company's MUSE (Multi-User System Environment) software, a check-in and boarding system used by airlines on multiple airports globally.

Collins Aerospace, a subsidiary of RTX Corporation (formerly Raytheon Technologies), confirmed it became aware of a "cyber-related disruption" to its MUSE software at select airports.

The attack rendered electronic check-in and baggage handling systems inoperable, forcing airports to revert to manual procedures, hand-written baggage tags and phone-based boarding lists.

The incident severely impacted operations at several major European aviation hubs: 

• Brussels Airport confirmed the cyberattack in an official statement, reporting "a large impact on the flight schedule" with only manual check-in and boarding procedures possible. By mid-morning Saturday, Brussels Airport reported nine flight cancellations, four redirected to other airports, and 15 flights delayed by over an hour, with approximately 35,000 passengers expected to depart that day. Airlines were later asked to cancel half their flights to and from Brussels between 04:00 GMT Saturday and 02:00 GMT Monday due to the ongoing disruption.
• London's Heathrow Airport, Europe's busiest hub, experienced what officials described as "minimal" disruption compared to other affected locations. While Heathrow reported no flight cancellations directly linked to the Collins Aerospace problems, the airport advised passengers to check flight status before traveling and not arrive more than three hours before long-haul flights.
• Berlin's Brandenburg Airport also faced longer waiting times at check-in. Operators disabled connections to affected systems as a precautionary measure.
• Dublin and Cork airports in Ireland reported minor impacts from the Europe-wide software issue, and some airlines implemented manual check-in processes. 

Aviation analytics provider Cirium reported that across the affected airports, 35 departures and 25 arrivals were canceled on Saturday, with an additional 38 departures and 33 arrivals canceled by Sunday morning. 

The nature of the attack, any exposed data and impacted individuals is not disclosed.

RTX Corporation issued a statement confirming the incident: "The impact is limited to electronic customer check-in and baggage drop and can be mitigated with manual check-in operations. We are actively working to resolve the issue and restore full functionality to our customers as quickly as possible." 

Update - The European Union’s cybersecurity agency ENISA confirmed that the cyber attack caused disruptions of operations at several European airports over the weekend and that a third-party services provider suffered a ransomware incident.

As of 24th of September 2025, investigators report that Collins Aerospace was hit by HardBit ransomware. Cybersecurity experts note that the attack involved an "incredibly basic" variant of the malware that first emerged in 2022 and is known for negotiating ransom amounts based on victims' cyber insurance policies. The company is reportedly struggling with malware removal, experiencing reinfection of devices following cleanup attempts.

A man in his forties was arrested in West Sussex on suspicion of Computer Misuse Act offenses related to a the attack

As of 19th of October 2025, Collins Aerospace (RTX) appeared on the dark web portal of the Everest Ransomware cyber gang, with timers threatening publication of data.
The screenshots refers to “ Databases over 50GB ”, “ FTP Access List" and "MUSE-INSECURE".