Attacks coordinated targeting the registration and boarding systems, exposing operational flaws at major European airports.
In Brussels, Berlin-Brandenburg, and London-Heathrow, synchronized cyberattacks paralyze European airports, imposing manual operations and endless queues. The provider Collins Aerospace suffers an intrusion affecting its MUSE software, disrupting check-in, baggage tags, and automated routing. This breach illustrates the flaw of a critical check-in provider, a systemic vulnerability of the digital air supply chain. Traffic experiences delays, cancellations, and diversions, while a reputable supplier reveals porous defenses against sophisticated actors. Operations become partially stable again, but the domino effect on flights, baggage, and punctuality exposes a cross-border fragility. The perpetrators remain undetermined, with the lead ranging from opportunistic vandalism to criminal or state actors. A cardinal issue, air security depends on robust cybersecurity and resilient supplier agreements at European airports.
| Quick Focus | |
| Nature | Cyberattack targeting registration and boarding systems via a third-party provider. |
| Vector | MUSE software from Collins Aerospace disrupted. Shift to manual procedures. |
| Timeline | Attack on Friday, September 19 evening. Effects noticed the next morning. |
| Affected Areas | Impacts in Brussels, Berlin Brandenburg, and London Heathrow. Other airports spared. |
| Overall Impact | Traffic slowed. Disruptions mostly contained throughout the day. |
| Brussels | 9 flights canceled, 4 diverted, 15 delays ≥ 1h mid-morning. |
| Berlin | No cancellation related to this incident by late morning. Connections to affected systems cut off. |
| Heathrow | Minimal effect. No direct cancellations reported. Delays not detailed. |
| Perpetrators | Undetermined origin (hackers, criminals, state actors). Mention of vandalism rather than extortion. |
| Vulnerability | Dependence on shared platforms and risks of supply chain for aviation. |
| Response | Collins is working on recovery. Manual operations limit the impact. |
| Travelers | Check flight status, arrive earlier, anticipate lines and handwritten baggage tags possible. |
| Issue | Increased need for resilience and security of shared critical systems. |
Timeline and Scope of the Incident
A cyberattack targeted the check-in and boarding systems used by several major European airports on the night of September 19. Disruptions particularly affected Brussels, Berlin-Brandenburg, and Heathrow, forcing a switch to manual procedures. The airlines were not directly targeted, as the attack aimed at a shared provider responsible for passenger front-office operations.
Incident managed via a shared systems provider. Ground controls, printing of boarding passes and baggage tags, as well as self-drop services, stopped working in some locations. The concerned actors isolated connections to the affected systems to contain the incident and preserve the integrity of other operational platforms.
The mentioned provider, Collins Aerospace, reported a security-related disruption affecting its MUSE (Multi-User System Environment) software at some airports. Operations switched to a degraded mode, with manual check-in and handwritten labels to maintain a minimal flow of passengers.
Operational Impact on European Hubs
Consequences varied across platforms, depending on local redundancies and preparedness for incident response. In Brussels, the morning saw several cancellations, diversions, and about fifteen flights delayed by at least one hour. In Berlin, airport authorities described a controlled situation, remaining ready to adjust the flight plan if the outage persisted.
Organized response: shift to manual procedures. At Heathrow, the busiest in Europe, the disruption was termed minimal, with no cancellations directly attributable to the provider’s issue. However, terminals recorded increased waiting times, coupled with slower manual operations at check-in counters.
Nature of the Attack and Attribution Hypotheses
Initial analyses point to a supply chain attack targeting the software infrastructure of a central actor. Available evidence suggests more of a digital vandalism scenario than structured extortion, with no clear claim or known ransom demand. This reading remains evolving, as technical intelligence may revise the hypothesis in the coming days.
Specialists interviewed underline the audacity of an assault targeting a global provider, known for its resilience mechanisms. The attack, by striking at the heart of multi-airline registration processes, generated a rare cross-sectional effect, difficult to anticipate by each operator taken individually.
Dependence on Providers and Systemic Risk
The strong sharing of check-in and baggage dispatch tools creates a shared attack surface. Multi-user platforms, including MUSE, serve multiple companies and airports, creating a single point of failure. This architecture optimizes costs and interoperability while exposing the ecosystem to a simultaneous shock when the provider suffers a breach.
Domino effect on several interconnected European hubs. Recent sector analyses describe a rise in offensives exploiting third-party solutions, with immediate impact on cross-border operations. Additional insight into cybercrime related to business travel details these dynamics and their repercussions on service continuity.
Consequences for Travelers
Passengers faced prolonged queues at counters, with handwritten tags and minimal automation. A significant portion of airlines had reduced staff at traditional counters, and the sudden influx strained physical reception. Airports provided regular updates on flight status and recommended early arrival at the check-in area.
Incidents of this kind invite consideration of digital hygiene and preparedness for sensitive travel. Useful resources exist on monitoring heavily monitored destinations, as well as on the advisories issued for American citizens and their security, which can be transposable to other nationalities in a precautionary framework.
Remediation Measures and Business Continuity
Operators isolated the affected systems, enhanced logging, and conducted accelerated integrity checks. SOC teams correlated events across the entire perimeter to identify the entry point and any potential persistence. Contingency plans supported manual boarding, while IT departments validated the gradual re-entry of services.
A robust feedback loop requires restoration testing, hardening of privileged accesses, and tabletop scenarios with the provider. RTO/RPO objectives should incorporate multi-entity dependencies, with a precise inventory of interfaces and offline capabilities for issuing travel documents.
Governance, Compliance, and Sector Cooperation
The European regulatory framework, particularly NIS2, aims for continuous elevation of practices among operators and their providers. Service contracts should include resilience metrics, independent audits, and transparency obligations in case of an incident. Shared crisis testing between airports and airlines would strengthen collective preparedness against emerging threats.
Major hubs benefit from sharing indicators of compromise, anonymized telemetry, and plausible attack scenarios. Joint exercises with public forces and civil aviation authorities accelerate decision-making coordination. Investments in network segmentation, strengthened authentication, and real-time supervision capabilities reduce the amplitude of future disruptions.
Short-term Perspectives
Operators expect a full recovery of critical systems after validation of technical remediation. Passengers will still experience some residual delays as the operational backlog is absorbed and crew rotations recalibrated. Lessons learned will lead to a reduction in risk concentration and an elevation of controls among shared providers.
Managed domino effect, heightened vigilance on critical dependencies. Investigations continue for forensic analysis to attribute the attack and neutralize any recurrence. Air transport actors adjust their systems to combine operational fluidity with heightened resistance to sophisticated intrusions.
