ENISA Confirms Ransomware Behind Airport Check-In Chaos

Incident Discovery, Attribution and Timeline

Europe’s cyber agency, ENISA, confirmed that a ransomware attack against a third-party provider disrupted automated check-in and baggage systems at multiple major airports, prompting airlines and airports to fall back to manual processes. The disruption began late Friday and affected hubs including Heathrow, Brussels and Berlin, producing long queues, delays and hundreds of cancellations over the weekend.
A spokesperson for RTX — parent of the affected vendor Collins Aerospace — described the problem as a “cyber-related disruption” to the vendor’s ARINC MUSE passenger-processing platform and said staff were working with airports to restore systems. The company warned that affected kiosks and shared check-in desks could be mitigated through manual procedures while on-site remediation continued.

“The impact is limited to electronic customer check-in and baggage drop and can be mitigated with manual check-in operations.” — RTX / Collins Aerospace.

ENISA also told media that the ransomware family involved has been identified and that law enforcement is cooperating in the investigation; however, public attribution and firm claims of responsibility had not been established at the time of the agency’s statement.

Technical Breakdown, Attack Vector and Operational Impact

What was hit. The outage targeted the ARINC Multi-User System Environment (MUSE) — a shared passenger-processing platform that allows multiple airlines to share check-in desks and boarding gates rather than each airline running its own dedicated infrastructure. Because MUSE mediates front-line passenger touchpoints, a successful disruption can instantly force manual operations across multiple carriers at a single airport.

Likely attack vectors. Early reporting and analyst commentary point to ransomware actors targeting the vendor’s on-premises or administrative servers that host critical MUSE components, corrupting local workstations and blocking automated kiosk and baggage-drop functionality. Internal memos seen by reporters warned staff not to power down or log out of affected workstations while remediation was underway, suggesting active containment measures and manual forensic recovery are in progress.

Scale and operational impact. The attack created a multi-airport outage pattern: Brussels canceled dozens of flights and relied on laptops and tablets for manual processing, Heathrow experienced long terminal queues and delays, and Berlin—already busy because of local events—saw elevated passenger congestion. Collins Aerospace reported technicians on site and said updates were in the final stages to restore full functionality; however, individual airports continued to manage residual delays and re-routing for days.

Why MUSE is a high-value target. A MUSE compromise is high leverage because it concentrates passenger-facing services for many airlines into one platform. Attackers who successfully disable MUSE can cause outsized disruption without needing to breach each airline individually.

Investigative Context, Motive and Comparative Incidents

Motive and criminal behavior. Ransomware groups typically aim to encrypt systems, demand payment for decryption keys, and sometimes exfiltrate data for secondary extortion. In shared-service scenarios, attackers have incentives to maximize operational pain to increase leverage for ransom demands or to force rushed remediation that may hamper forensic discovery.

Comparative incidents to watch.

• The Collins incident mirrors other third-party compromises that triggered systemic outages—past examples include supply-chain and managed-service attacks that propagated to multiple customers, emphasizing supplier risk.
• Aviation has faced operational outages from non-malicious IT failures before (mass cancellations from system failures at major carriers), but the ransomware element here adds criminal intent and law-enforcement involvement, raising stakes for operator coordination and regulatory scrutiny.
• Recent industry incidents where ransomware or third-party failures affected high-touch services highlight that attacker focus has shifted to shared infrastructure (SaaS, managed services, operational vendors) because of the multiplier effect on disruption.

Risk Implications — Passenger Safety, Fraud and Regulatory Exposure

Passenger experience and safety. Although airport safety systems (air traffic control, navigation) were not reported as affected, long queues, delayed departures and the need for manual baggage checks increase the operational complexity at busy hubs and can indirectly pressure safety margins if staffing and attention are strained.

Fraud and data risk. If attackers exfiltrated passenger manifests or contact records before encrypting systems, travelers could face increased phishing or social-engineering attempts that impersonate airlines or airport staff. Even without confirmed data theft, the combination of operational chaos and high-volume communications creates fertile ground for opportunistic scams.

Regulatory and contractual exposure. Because Collins Aerospace provides a service that directly touches passengers across jurisdictions, regulators (national aviation authorities, data-protection agencies) may demand rapid incident reports, vendor-management evidence, and proof of mitigations. Airlines and airports will likely examine contractual indemnities, insurance coverage, and whether vendor security controls met required standards.

Remediation Advice — Immediate Steps and Strategic Controls

For Airports and Airlines (Immediate & Short Term)

• Switch to validated manual processes with clear role ownership for check-in, baggage handling and gate management; ensure manual manifests are cross-checked by two staffers to avoid errors.
• Isolate infected systems physically where possible and follow vendor guidance on bringing endpoints back online to avoid re-infection.
• Maintain passenger communications through verified channels (official websites, SMS opt-in, airport PA systems) to reduce confusion and limit exposure to phishing attempts.
• Log and preserve forensic evidence; coordinate with law enforcement to support attribution and potential takedown efforts.

For Collins Aerospace, RTX and Critical Vendors

• Prioritize coordinated incident response and transparent, frequent updates to affected airlines and regulators; publish an incident timeline once forensics permit.
• Rebuild or restore systems from known good images rather than attempting risky in-place remediation when endpoints show signs of corruption.
• Review segmentation and redundancy: separate passenger-facing services from administrative networks; ensure offline or geographically distributed failover capacity for core passenger processing.
• Assess data exfiltration risk with external forensic teams; if customer records were exposed, prepare notification and mitigation packages.

For Travelers and the Public

• Confirm travel status before heading to the airport (airline app or official airport websites) and permit extra time for manual processing.
• Beware of unsolicited messages claiming to be from airlines—verify via the airline’s verified site or official numbers.
• Keep documentation handy (booking reference, ID) and expect manual verification steps at check-in and baggage drop.

Strategic Recommendations — Hardening Shared Aviation Services

1. Vendor risk baseline: Regulators and operators should require critical-service vendors to maintain certification levels, frequent third-party audits, and demonstrable segmentation between operational and administrative systems.
2. Redundancy and graceful degradation: Design passenger-processing systems to fail to a minimal-impact manual mode with pre-distributed business-continuity playbooks and local offline manifests.
3. National coordination mechanisms: Aviation authorities should maintain incident escalation channels for cross-border vendor incidents to coordinate responses across affected airports and airlines.
4. Insurance & contractual reform: Re-examine coverage models to ensure third-party failures and multi-site disruptions are insurable and that vendor contracts clearly assign obligations for notification, remediation and customer support.

“Law enforcement is involved to investigate and the type of ransomware has been identified,” — ENISA, confirming the criminal nature of the disruption.

What To Monitor Next

• Public forensic updates from Collins Aerospace / RTX and ENISA confirming whether data exfiltration occurred and whether any ransom demands were made.
• Airline and airport recovery timelines and whether any long-tail cancellations or re-bookings create further commercial claims.
• Regulatory responses from national aviation authorities and data-protection agencies concerning vendor oversight and notification adequacy.
• Potential contagion to other shared aviation suppliers or to legacy systems integrated with MUSE.