On September 19, 2025, Collins Aerospace, a subsidiary of RTX Corporation, experienced a ransomware attack targeting its Multi-User System Environment (MUSE) passenger processing software. This software is integral to airport operations, enabling multiple airlines to share check-in desks, boarding gates, and baggage handling facilities. The cyberattack led to significant disruptions across several major European airports, including London Heathrow, Berlin Brandenburg, and Brussels Airport.
Scope and Impact of the Attack
The ransomware infiltrated systems supporting the MUSE software, which operates on customer-specific networks outside of RTX’s enterprise infrastructure. As a result, automated check-in and boarding processes were severely affected, causing widespread flight delays and cancellations. Airports had to revert to manual procedures to manage passenger processing, leading to long queues and operational inefficiencies.
Brussels Airport faced the most significant challenges, canceling 25 flights on Saturday, 50 on Sunday, and requesting airlines to cancel nearly 140 departing flights on Monday—half of its scheduled departures. The unavailability of a secure update to the compromised system exacerbated the situation. In contrast, London Heathrow and Berlin Brandenburg reported gradual improvements, though some delays persisted. Self-service kiosks and online check-in options remained functional, providing some relief to the affected operations.
Response and Mitigation Efforts
Upon detecting the incident, RTX activated its incident response plan, engaging both internal and external cybersecurity experts to assess, contain, and remediate the attack. The company promptly notified domestic and international law enforcement authorities and relevant government agencies. RTX is collaborating closely with its customers, offering technical support and guidance to affected airlines and airports. Despite these efforts, the company acknowledged that customers have had to resort to backup or manual processes, resulting in flight delays and cancellations.
The European Union Agency for Cybersecurity (ENISA) confirmed that the disruptions were caused by a ransomware incident affecting a third-party system provider. ENISA is actively monitoring the situation and working with relevant stakeholders to mitigate the impact and prevent future occurrences.
Arrest and Ongoing Investigations
British law enforcement arrested a man in his 40s in connection with the ransomware attack. The individual was detained under the Computer Misuse Act and released on conditional bail. The National Crime Agency (NCA) emphasized that the investigation is still in its early stages, and the specific group responsible for the cyberattack has not been identified. No claims of responsibility have appeared on dark web leak sites monitored by cybersecurity experts.
Broader Implications and Industry Response
This incident underscores a growing trend of cybercriminals targeting high-profile companies and critical infrastructure for financial gain and reputational prestige within hacking circles. Cybersecurity experts warn that while most ransomware aims for extortion, a growing number are engineered for maximum disruption. Groups like Scattered Spider have drawn attention for attacks on institutions like Marks & Spencer and London’s Transport for London, signaling a concerning shift in cyber threat dynamics.
The aviation industry, given its reliance on interconnected systems and shared infrastructure, remains a prime target for cyberattacks. This event highlights the urgent need for enhanced cybersecurity measures, regular system audits, and comprehensive incident response plans to safeguard against such threats.
Conclusion
The ransomware attack on Collins Aerospace’s MUSE software has had a profound impact on European airport operations, causing significant disruptions and highlighting vulnerabilities within the aviation industry’s digital infrastructure. As investigations continue and systems are restored, this incident serves as a stark reminder of the critical importance of robust cybersecurity practices in safeguarding essential services and infrastructure.
