ENISA turns attention to ransomware attack disrupting airports

Europe’s air travel network plunged into chaos after the EU’s cybersecurity agency said it had been hit with ransomware that affected airport passenger processing systems. The attack was against a significant provider and it led to check-in outages, baggage handling delays, and flight holdups at multiple major hubs as airlines had to resort to manual operations.

What ENISA found in the airport attack and why it matters

ENISA said the drop-offs are due to a ransomware breach at one of its third-party tech providers, a conclusion reported by Reuters after ENISA’s statement Friday morning. Though the source of the attack remains unattributed, ENISA’s inclusion indicates that through one form or another, it has cleared criteria to warrant coordination between different countries (cross-border), as well as critical infrastructure impact—stepping above simply being accidental IT hiccups.

Ransomware remains one of the most disruptive cyber threats in Europe, and ENISA’s Threat Landscape reports have consistently named it as a top risk to essential services. Attacks on suppliers are especially disruptive because one hijacked platform can spread across multiple airlines and airports at the same time.

Collins Aerospace and the MUSE passenger platform

The systems being affected are from Collins Aerospace, one of the world’s largest aviation technology providers and part of RTX. Local media reports and company statements quoted its MUSE passenger processing platform providing joint check-in desks and gates service for several airlines. That model of shared housing is efficient in good times—but it also centralizes operational risk when a service-wide outage strikes.

Collins Aerospace said it is collaborating with affected airports and airlines to resume services. The company has further not revealed the vector of the attack or if any data was exfiltrated, and there’s no publicly available evidence that safety-critical systems were targeted. Cascade risk: Further separation is provided in modern airport designs by isolating flight operations and air traffic control networks from passenger services.

Operational repercussions across key hubs

The most visible knock-on effects were at airports in Berlin, Brussels, and London where long queues developed at departure halls and airlines had to switch to manual check-in and boarding. Local news reports described hundreds of delays, as workers printed fallback bag tags and verified documents by hand—procedures that are secure but slow, especially during peak travel times.

When common systems falter, airlines fight through more than just check-in logjams but downstream mismatches as baggage checks, seat assignments, and boarding priorities often are managed by integrated applications. Redo execution: During recovery one has to be careful when trading off the process time against maintaining correct data integrity, because a mistake made now may cause an error further down in the path.

Why aviation’s supply chain is fertile ground for ransomware

Aviation depends on a vast interlocking web of vendors that produce check-in, departure control, baggage, and airport operations software. That interdependence is a strength for efficiency but a vulnerability to ransomware, which ferrets out central platforms as mechanisms for pulling levers. Eurocontrol and national computer security incident response teams have repeatedly sounded the alarm that infiltrating supply chains can lead to outsized disruption.

Attackers are also increasingly using “double extortion,” encrypting systems and threatening to post stolen data online. If personal information was obtained, affected companies would also potentially have notification obligations under the EU General Data Protection Regulation and recovery on the operational side. EU law enforcement and cybersecurity agencies, with Europol’s European Cybercrime Centre among them, recommend not paying ransoms, which they say rarely result in the restoration of files or data deletion.

Restoration, resilience and immediate guidance

Incident response usually follows a standard pattern: containment, forensic triage, restoration from backup that is known not to be infected, followed by hardening. For mutual airport platforms as well, recovery depends on reestablishing system trust: validating integrations with airline departure control, identity management, and baggage systems before capacity is added back.

Police and other authorities too often espouse common-sense resilience measures:

• Separate passenger-facing services from operational technology
• Rigorously implement least-privilege access
• Have active monitoring for lateral movement
• Test offline backups frequently

Tabletop exercises with airports and airlines are essential so that staff members know how to transition to manual procedures without adding chaos when centralized tools fail.

What travelers should do during airport system outages

Passengers traveling through impacted airports are advised to:

• Allow more time
• Use online check-in where available
• Carry both digital and printed copies of the boarding pass and travel itinerary

Airlines’ mobile apps and airport social channels typically offer the quickest operational updates as systems are restored.

The bigger picture for Europe’s shared airport platforms

That incident illustrates a structural truth: a handful of common platforms support some of the most important passenger services across European airports. That concentration allows for cost and efficiency gains, but it also introduces single points of failure that sophisticated ransomware groups have been too happy to exploit. As investigations continue, the industry’s priorities are coming into stark relief—rapid recovery today, and a deeper supply-chain resilience tomorrow.