Coordinated cyberattacks target registration and boarding systems, exposing operational flaws at major European airports.
In Brussels, Berlin-Brandenburg, and London-Heathrow, synchronized cyberattacks paralyze European airports, imposing manual operations and endless lines. The provider Collins Aerospace suffers an intrusion affecting its MUSE software, disrupting check-in, baggage tags, and automated routing. This breach illustrates the vulnerability of a critical check-in provider, a systemic weakness in the digital aviation supply chain. Traffic experiences delays, cancellations, and diversions, while a reputable supplier reveals porous defenses against sophisticated actors. Operations partially stabilize, but the domino effect on flights, baggage, and punctuality exposes a cross-border fragility. The perpetrators remain undetermined, with the trail ranging from opportunistic vandalism to criminal or state-sponsored groups. A cardinal issue, aviation security depends on robust cybersecurity and resilient supplier agreements at European airports.
| Quick Focus | |
| Nature | Cyberattack targeting registration and boarding systems via a third-party provider. |
| Vector | MUSE software from Collins Aerospace disrupted. Shift to manual procedures. |
| Timeline | Attack on the evening of Friday, September 19. Effects noted the following morning. |
| Affected Areas | Impacts in Brussels, Berlin Brandenburg, and London Heathrow. Other airports spared. |
| Overall Impact | Traffic slowed. Disruptions mostly contained throughout the day. |
| Brussels | 9 canceled flights, 4 diverted, 15 delays ≥ 1h mid-morning. |
| Berlin | No cancellation linked to this incident late morning. Connections to affected systems cut. |
| Heathrow | Minimal effect. No direct cancellations reported. Delays not detailed. |
| Perpetrators | Undetermined origin (hackers, criminals, state actors). A path of vandalism rather than extortion mentioned. |
| Vulnerability | Dependence on shared platforms and supply chain risks for aviation. |
| Response | Collins is working on recovery. Manual operations limit the impact. |
| Travelers | Check flight status, arrive earlier, anticipate possible handwritten baggage tags and queues. |
| Issue | Increased need for resilience and security of shared critical systems. |
Timeline and Scope of the Incident
A cyberattack targeted the check-in and boarding systems used by several major European airports on the night of September 19. The disruptions notably affected Brussels, Berlin-Brandenburg, and Heathrow, forcing a shift to manual procedures. The airlines were not directly targeted; the attack aimed at a common provider responsible for front-office passenger operations.
Incident managed via a shared systems provider. On-the-ground controls, printing of boarding passes and baggage tags, as well as self-service drop-off ceased to function in some locations. The affected parties isolated connections to the compromised systems to contain the incident and preserve the integrity of other operational platforms.
The mentioned provider, Collins Aerospace, reported a disruption related to security affecting its MUSE (Multi-User System Environment) software in some airports. Operations shifted to a degraded mode, with manual check-in and handwritten labels to maintain a minimal flow of passengers.
Operational Impact on European Hubs
Consequences varied across platforms, depending on local redundancies and readiness for incident response. In Brussels, the morning counted several cancellations, diversions, and about fifteen flights delayed by at least an hour. In Berlin, airport authorities reported a controlled situation while remaining ready to adjust flight plans if the outage persisted.
Organized response: transition to manual procedures. At Heathrow, the busiest in Europe, the disruption was deemed minimal, with no cancellations directly attributable to the provider’s issue. Terminals, however, experienced increased waits, along with slower manual operations at check-in counters.
Nature of the Attack and Attribution Hypotheses
Initial analyses point to a supply chain attack targeting the software infrastructure of a central player. Available clues suggest a scenario of digital vandalism rather than structured extortion, with no clear claim or known ransom demand. This interpretation remains evolving, as technical intelligence may revise the hypothesis in the coming days.
Experts interviewed highlight the audacity of an assault targeting a world-ranked supplier, known for its resilience mechanisms. The attack, by striking the core of multi-carrier registration processes, generated a rare cross-sectional effect, difficult to anticipate by each operator taken in isolation.
Dependence on Suppliers and Systemic Risk
The high mutualization of check-in and baggage dispatch tools creates a shared attack surface. Multi-user platforms, such as MUSE, serve multiple airlines and airports, generating a single point of failure. This architecture optimizes costs and interoperability while exposing the ecosystem to a simultaneous shock when the supplier suffers a breach.
Domino effect on several interconnected European hubs. Recent sector analyses describe a rise in offensives exploiting third-party solutions, with an immediate impact on cross-border operations. Additional insights into cybercrime related to business travel detail these dynamics and their repercussions on service continuity.
Consequences for Travelers
Passengers faced prolonged queues at counters, with handwritten tags and minimal automation. A significant portion of airlines had reduced staff at traditional counters, causing the sudden influx to strain physical reception. Airports disseminated regular information on flight status and recommended anticipating the passage through the registration area.
Incidents of this type encourage consideration of digital hygiene and the preparedness for sensitive travel. Useful resources exist on monitoring high surveillance destinations, as well as on advisories issued for American citizens and their safety, translatable to other nationalities in a precautionary context.
Remediation Measures and Business Continuity
Operators isolated the affected systems, strengthened logging, and conducted accelerated integrity checks. SOC teams correlated events across the entire perimeter to identify the entrance point and any potential persistence. Contingency plans supported manual boarding, while IT departments validated the progressive reactivation of services.
A robust feedback loop requires restoration testing, hardening of privileged access, and tabletop scenarios with the provider. RTO/RPO targets must integrate multi-entity dependencies, with precise inventory of interfaces and offline capabilities for the issuance of travel documents.
Governance, Compliance, and Sector Cooperation
The European regulatory framework, notably NIS2, aims for continuous elevation of practices among operators and their suppliers. Service contracts should include resilience metrics, independent audits, and transparency obligations in the event of an incident. Mutualization of crisis testing between airports and airlines would enhance collective preparedness against emerging threats.
Major hubs benefit from sharing compromise indicators, anonymized telemetry, and plausible attack scenarios. Joint exercises with public forces and civil aviation authorities speed up decision-making coordination. Investments in network segmentation, enhanced authentication, and real-time monitoring capabilities reduce the amplitude of future disruptions.
Short-term Perspectives
Operators expect a full recovery of critical systems after validation of technical remediation. Passengers will still experience some residual delays as operations catch up and crew rotations recalibrate. Lessons learned will lead to a reduction in risk concentration and an elevation in controls among shared providers.
Managed domino effect, heightened vigilance on critical dependencies. Investigations continue the forensic analysis to attribute the attack and neutralize any recurrence. Aviation stakeholders adjust their mechanisms to combine operational fluidity and increased resilience against sophisticated intrusions.
