A major ransomware attack targeting Collins Aerospace’s Muse check-in and boarding systems forced several European airports to revert to manual operations, causing widespread flight delays and cancellations over the weekend.
The disruption affected major hubs including Heathrow, Brussels, Berlin, and Dublin, highlighting the vulnerability of critical aviation infrastructure to sophisticated cyber threats.
Paul Foster, the NCA deputy director and head of the agency’s national cyber crime unit, said: “Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing.”
How the attack unfolded
The incident reportedly involves a variant of HardBit ransomware that encrypted Collins Aerospace’s Domain Controllers, which disrupted airport kiosks, bag-drop systems, and boarding gates. The European Union Agency for Cybersecurity (ENISA) confirmed the attack caused widespread file encryption across systems essential for passenger processing.
Immediate impact on airports
The fallout was immediate. Airlines reported hundreds of delayed and canceled flights, while airport staff were forced to revert to manual systems using pen and paper.
Heathrow Airport noted that most flights were operating but warned passengers of extended wait times during check-in. Brussels Airport canceled more than 60 flights on Monday alone, while Berlin Airport reported ongoing reliance on manual processes well into the week, resulting in long lines and disrupted schedules.
Broader security context
The Collins Aerospace breach underscores an ongoing trend: critical infrastructure and aviation systems are increasingly becoming high-value targets for ransomware groups.
Unlike traditional IT environments, disruptions in aviation ripple across national economies, public safety, and even geopolitical stability. By crippling check-in systems and passenger processing workflows, attackers demonstrate their ability to cause maximum disruption with relatively contained technical operations.
The European Union Agency for Cybersecurity (ENISA) has warned that ransomware operators are evolving beyond opportunistic attacks, instead focusing on complex, high-impact targets where downtime can cost millions of euros per day.
The UK’s National Cyber Security Centre (NCSC) has echoed this concern, noting that adversaries are refining techniques for lateral movement and persistence specifically designed to penetrate hybrid IT/OT environments like airports.
Both agencies are now working closely with Collins Aerospace and affected airports not only to contain the immediate damage but also to evaluate the broader systemic risks this incident highlights.
Mitigation and lessons learned
For enterprises, the attack highlights several critical lessons. First, phishing remains a powerful initial vector, requiring robust employee awareness and advanced email filtering solutions.
Second, reliance on third-party platforms introduces systemic risks, as a breach at one vendor can disrupt multiple organizations simultaneously.
Finally, incident response planning must account for large-scale operational disruptions, particularly in sectors where physical and digital systems intersect.
Collins Aerospace has since advised customers to verify flight status online, arrive at airports with extra time, and install the latest security patches. Meanwhile, cybersecurity experts recommend monitoring for unusual registry changes, enforcing least-privilege access, and segmenting critical systems to prevent ransomware from spreading laterally.
Although the immediate crisis is being managed, recovery will likely be protracted. Collins Aerospace has yet to provide a definitive timeline for restoring normal operations. Experts warn that this event may embolden threat actors to target other transportation hubs, especially during periods of high travel or global political activity.





