Ransomware cyberattack disrupts Brussels Zaventem Airport
What happened
Late on Friday 19 September 2025, a cyberattack struck Collins Aerospace, the RTX-owned supplier whose MUSE (Multi-User System Environment) software lets multiple airlines share check-in desks and boarding gates rather than running dedicated systems. The compromise of this shared platform disrupted electronic check-in and automated baggage drop at Brussels Airport in Zaventem, with effects becoming widely visible on Saturday 20 September. The same attack affected London Heathrow and Berlin Brandenburg (BER), and disruption was reported at Dublin as well, illustrating how the failure of one supplier can ripple across multiple hubs.
Brussels Airport reverted to manual check-in to keep flights moving, advising passengers to arrive early and asking airlines such as Brussels Airlines and TUI fly to lean on online or alternative check-in. According to VRT NWS, disruption persisted for days as systems were not fully restored: roughly 9 percent of flights were cancelled on Tuesday 23 September and about 6 percent on Wednesday 24 September. On 22 September the EU cybersecurity agency ENISA confirmed the incident was a third-party ransomware attack, said the ransomware type had been identified, and noted law enforcement was investigating. As reported by Reuters, the impact was concentrated on customer-facing check-in and baggage functions and could be mitigated through manual processing.
Assessment
The incident is best understood as a supply-chain cyberattack: a single compromised vendor (Collins Aerospace) degraded operations at several major European airports at once. ENISA characterised it as ransomware, which points to financially motivated criminal activity rather than a state operation, and no government or group has been credibly named in public reporting. Attribution beyond ransomware remains unconfirmed. The episode underscores aviation's concentration risk in shared passenger-processing software and the value of resilient manual fallbacks, which limited the disruption to delays and partial cancellations rather than a full operational shutdown.
This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.