A cyberattack that occurred over the weekend has caused significant disruption at major European airports. The incident targeted Collins Aerospace, a service provider for automated check-in and boarding systems. The cyberattack forced airports, including Heathrow, Brussels, and Berlin, to revert to manual procedures, leading to widespread flight delays and cancellations. At Heathrow, over 600 flights were affected, while Brussels and Berlin airports reported similar impacts on their schedules. The disruption resulted in longer waiting times for passengers across the affected locations. It has since been confirmed as a ransomware incident.
Cybersecurity experts from across the industry have weighed in…
Charlotte Wilson, Head of Enterprise Sales at Check Point Software:
“The aviation industry has been under sustained pressure from cybercriminals for several months, with attacks rising both in frequency and intensity. Check Point has found that the Transportation & Logistics sector has consistently ranked among the world’s top ten most attacked industries, with each organisation facing an average of 1,143 cyberattacks per week in recent months, a 5% increase year-on-year. In August 2025 alone, that number spiked to 1,258 weekly attacks. Ransomware remains a key concern as well: globally, around 1,600 incidents were reported in Q2 2025, with the Transportation & Logistics sector accounting for 4% of those cases
This relentless targeting underscores how the aviation industry has become an increasingly attractive target for cybercriminals due to its heavy reliance on shared digital systems. These attacks often strike through the supply chain, exploiting third-party platforms that are used by multiple airlines and airports at once. When one vendor is compromised, the ripple effect can be immediate and far-reaching, causing widespread disruption across borders.
To build resilience, aviation companies must take a layered approach: rigorously patching and updating software to close vulnerabilities, continuously monitoring for unusual activity that could indicate an intrusion, and implementing clear, well-tested backup systems that ensure airports and airlines can keep operating even if critical digital tools are knocked offline. But this challenge cannot be addressed in isolation. On a European scale, better information-sharing between governments, airlines, and technology providers is essential. Cyberattacks rarely stop at national borders, so the faster one country can identify and report an attack, the faster others can take action to contain it. A joined-up defence will be far more effective than siloed responses.
Cybercriminals are exploiting every weak link in this highly connected ecosystem. Unless the sector treats cybersecurity as a matter of operational continuity and passenger safety, not just IT, the risk of large-scale disruption will continue to rise. The time to act is now, through proactive resilience measures, international collaboration, and a recognition that cyber resilience is as critical to aviation as physical safety.”
Rebecca Moody, Head of Data Research at Comparitech:
“This attack is another stark reminder that companies’ systems are only as good as the third parties they use to provide services. By attacking the software provided to airports by Collins Aerospace, hackers have been able to cause widespread disruption at various locations across multiple countries. We don’t yet know who the attackers are, but if ransom demands aren’t met, we’ll likely see a claim coming through in the next few days/weeks.
What’s perhaps more concerning is that a ransomware group previously claimed to have hacked Collins Aerospace way back in July 2023. This attack was never confirmed by the company but BianLian alleged to have stolen around 20 GB of data from the organisation at the time.
This is the 15th confirmed attack on the transport sector this year so far.”
Dray Agha, senior manager of security operations at Huntress, added, “This incident underscores how critical third-party providers are to the aviation sector’s resilience. The attack on Collins Aerospace’s check-in and boarding systems shows that even if an airport has strong internal defences, dependencies on external software or services can become major single points of failure; a supply chain compromise will undermine your own internal security posture.
“The use of manual check-in and baggage drop as a mitigation is sensible, but it is neither scalable nor sustainable for long. This kind of fallback will create delays, confusion, higher costs, and increased exposure to human error. It emphasises the need for rigorous incident response planning, including regular drills for degraded operational states.
“Beyond immediate disruption, there are reputational and regulatory risks. Passengers expect reliability and safety; when basic services fail, trust erodes. Regulators are likely to scrutinise the supply chain, system redundancy, and the speed of detection and disclosure. This could lead to tighter rules around cyber resilience in critical infrastructure.”
Jamie Akhtar, CEO and Co-Founder of CyberSmart, said:
“The disruption at Heathrow, Brussels and other European hubs shows that cyber attacks aren’t always about ransomware or zero-days. In this case, the weak link appears to be a third-party provider behind check-in, boarding and baggage systems. Due to so many airport processes depending on it, the fallout will be extensive. It’s a reminder that operational reliance on external vendors creates a large attack surface, and when those services fail, the impact is immediate and highly visible.
To reduce risk from this kind of disruption, organisations need more than perimeter defences. That means rigorous assessment of supplier resilience, redundancy and fallback options, continuous monitoring of dependencies, and clear communication protocols during incidents. Ultimately, the weakest link is often someone else’s system but the consequences are felt by everyone.”
Darren Guccione, CEO and Co-Founder of Keeper Security, said:
“Although information is still limited, the disruption at several major European airports highlights how interconnected global transportation has become and how dependent it is on shared digital infrastructure. A technical incident with a single provider can quickly cascade across multiple airports, which is why resilience, security and visibility are critical in modern infrastructure.
Adversaries understand that targeting widely used technology services can result in outsized impact, as demonstrated in countless damaging supply chain attacks. Organisations that rely on third-party systems and vendors need to ensure that every point of access is secured, every connection is monitored and no user or system is automatically trusted.
Zero trust security models and privileged access management solutions play a central role in that effort. By enforcing least-privilege access and leveraging agentic AI to revoke credentials as soon as risk is detected, organisations can limit the impact of an attack and maintain public confidence in essential services.”
Javvad Malik, Lead CISO Advisor at KnowBe4, said:
“Air travel depends on shared systems, so a failure in a common check‑in platform quickly cascades into missed connections, accessibility shortfalls, and staff forced into manual workarounds.
It’s why it’s important to build in graceful failure by assuming the primary system will go down and rehearsing manual operations, offline boarding, and accessible contingencies, with cross‑trained staff and basic tools ready.
Reduce single points of failure by diversifying providers where feasible, segmenting tenants, and ring‑fencing critical functions so one vendor outage doesn’t halt everyone. Above all, communicate clearly and often, prioritise vulnerable passengers, and empower frontline teams to make humane decisions.
Resilience isn’t just cyber controls it’s people, process, and communications to ensure ongoing availability.”
Dr Martin Kraemer, CISO Advisor at KnowBe4, said:
“More information has come to light: Dublin airports have also been affected, and a ransomware demand was made. This does not mean the motivation could not also have been sabotage, but one motivation is now clear: extortion.
We still need more information to actually understand the true impact and ramifications of the attack.
The EU is still investigating the attack, while the impact is widespread. We should not expect the EU to determine the source as early. That is because there is still a lack of clarity since authorities and corporations have confusing messaging. The NCSC is investigating a cyber incident. Collins Aerospace is talking about a cyber-related disruption. We require more transparency before we can make meaningful conclusions as to who is behind this and what their benefits are.”
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy:
“This attack underscores the need for organisations to not only ensure that their own systems are kept secure and updated, but to also investigate and confirm that any third-party vendors, particularly software vendors, have their software and systems fully secured. Until then, we’ll continue to see hackers using the flaws in users’ systems to perform cyber attacks. While keeping systems updated isn’t a cure-all to block cyber attacks, they can lessen the impact of such attacks.”
