A third-party ransomware attack caused disruptions at several European airports over the weekend, the European Union’s cybersecurity agency said Monday. The cyberattack on Collins Aerospace’s MUSE check-in and boarding software disrupted operations at several major European airports over the weekend, causing long queues, delays, and cancellations. Heathrow, Brussels, and Berlin were among the airports affected, highlighting ongoing operational challenges in the European aviation sector.
“The type of ransomware has been identified, and law enforcement is investigating,” the European Union Agency for Cybersecurity (ENISA) reportedly said in a statement.
Meanwhile, Heathrow Airport said that work continues to resolve and recover from the outage of a Collins Aerospace airline system that impacted check-in. “We apologise to those who have faced delays, but by working together with airlines, the vast majority of flights have continued to operate,” it wrote in a Monday message posted on X, formerly Twitter. “We encourage passengers to check the status of their flight before travelling to Heathrow and to arrive no earlier than three hours for long-haul flights and two hours for short-haul.”
Brussels Airport wrote in a Sunday message on X that “Disrupted airport operations also on Monday 22 September, causing flight delays and cancellations. Check the status of your flight before coming to the airport.”
“The service provider is actively working on the issue and trying to resolve the problem as quickly as possible,” Brussels Airport said in a website post. “At the moment, it is still unclear when the issue will be resolved.”
It added that the disruption is affecting the flight schedule, causing delays and cancellations. Passengers are advised to check their flight status with their airline before traveling and to come to the airport only if their flight is confirmed. Online check-in is recommended. Those with confirmed flights should arrive on time, two hours before flights within the Schengen area and three hours for flights outside it, and follow the airport’s information channels for updates.
Following news of a cyber incident impacting Collins Aerospace, an NCSC spokesperson said in a Saturday statement, “We are working with Collins Aerospace and affected UK airports, alongside Department for Transport and law enforcement colleagues, to fully understand the impact of an incident.”
The spokesperson added that “all organisations are urged to make use of the NCSC’s free guidance, services and tools to help reduce the chances of a cyber attack and bolster their resilience in the face of online threats.”
One of Russia’s busiest airports reported on Friday that its website had been taken offline in a cyberattack. Pulkovo Airport, St. Petersburg’s main air hub and the nation’s second-largest, said website access was temporarily restricted but emphasized that airport operations were continuing normally. “Check-in for flights is proceeding as usual,” the airport said in a statement, noting that specialists were working to restore the service.
The airport did not disclose details about the attack or whether other parts of its digital infrastructure were affected.
The incident follows a report from Siberian regional carrier KrasAvia, which said a system failure had disrupted some online services. While the airline did not confirm a cyberattack, it told local media that the malfunction resembled the outage that affected national carrier Aeroflot in late July.
Governments and companies have faced a wave of cyberattacks in recent months, including automaker Jaguar Land Rover, which was forced to pause production.
The U.K. government is actively addressing the incident, which has also disrupted the wider automotive supply chain.
“The Government, including government cyber experts, are in contact with the company to support the task of restoring production operations, and are working closely with JLR to understand any impacts on the supply chain,” according to a Friday joint statement from the Department for Business and Trade (DBT) and the Society of Motor Manufacturers and Traders, following a meeting. “On Friday, 19 September, the Society of Motor Manufacturers and Traders (SMMT) held an extraordinary meeting of its Automotive Components Section, which was attended by Department for Business and Trade (DBT) officials.”
The statement added that “this allowed us to listen to suppliers directly and understand the challenges and concerns they are facing.”
Commenting on the cyberattack on European airports, Cody Barrow, CEO at EclecticIQ, wrote in an emailed statement to Industrial Cyber that “This attack is a clear reminder of how fragile aviation operations can be when critical systems depend on a handful of third-party providers. By targeting a single vendor, attackers were able to disrupt airports across multiple countries, a textbook example of supply chain risk in action.”
Barrow added that the aviation sector has invested heavily in safety, but cybersecurity resilience hasn’t kept pace. “Operators and regulators need to ensure that essential systems can continue to function even when vendors are compromised. That means building redundancy, running realistic contingency exercises, and ensuring threat intelligence flows quickly between partners. We should expect incidents like this to become more frequent, and the sector must treat cyber resilience with the same urgency as physical safety.”
