A **ransomware attack** crippled Collins Aerospace’s **Multi User System Environment (MUSE)**, a critical passenger management system used by **Heathrow, Brussels, and Berlin airports** in September. The attack caused **massive operational chaos**, including **217 canceled flights**, **thousands of stranded passengers**, and **millions of euros in financial losses** for airports and airlines. The disruption forced airports to revert to **manual processes** (pen-and-paper bag registration, handwritten boarding passes, and radio-coordinated gate assignments), leading to **extended delays, reputational damage, and systemic operational breakdowns** across three countries. The incident highlighted vulnerabilities in **supply chain cybersecurity**, where a single breach in a U.S.-based provider cascaded into **transnational critical infrastructure failure**, exposing gaps in cross-jurisdictional regulatory responses.
Source: https://www.lawfaremedia.org/article/lessons-from-the-european-airports-ransomware-attack
Collins Aerospace cybersecurity rating report: https://www.rankiteo.com/company/collins-aerospace
"id": "COL3892838112125",
"linkid": "collins-aerospace",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Thousands of passengers',
'industry': 'Air Transport',
'location': 'London, United Kingdom',
'name': 'Heathrow Airport',
'type': 'Airport'},
{'customers_affected': 'Thousands of passengers',
'industry': 'Air Transport',
'location': 'Brussels, Belgium',
'name': 'Brussels Airport',
'type': 'Airport'},
{'customers_affected': 'Thousands of passengers',
'industry': 'Air Transport',
'location': 'Berlin, Germany',
'name': 'Berlin Airport',
'type': 'Airport'},
{'industry': 'Aerospace/Defense',
'location': 'United States (HQ)',
'name': 'Collins Aerospace (RTX Corporation)',
'type': 'Technology Provider'},
{'customers_affected': 'Thousands of passengers',
'industry': 'Air Transport',
'location': ['United Kingdom',
'Belgium',
'Germany',
'Other European countries'],
'name': 'Multiple Airlines',
'type': 'Airline Operators'}],
'attack_vector': ['Third-Party Software Vulnerability',
'Supply Chain Compromise'],
'customer_advisories': ['Passenger notifications regarding flight '
'cancellations/delays (via airlines/airports)',
'No direct advisories from Collins Aerospace to '
'end-users'],
'data_breach': {'data_encryption': ['Ransomware encryption of MUSE systems']},
'date_detected': '2023-09',
'date_publicly_disclosed': '2023-09',
'description': 'A ransomware attack in September crippled Collins Aerospace’s '
'Multi User System Environment (MUSE), a critical passenger '
'system used by Heathrow, Brussels, and Berlin airports. The '
'attack caused massive delays, at least 217 canceled flights, '
'and financial losses estimated in millions of euros. The '
'incident highlighted vulnerabilities in supply chain '
'cybersecurity for critical infrastructure, with cascading '
'operational and reputational impacts across multiple '
'countries. The attack targeted operational technology (OT) in '
'real-time, forcing airports to revert to manual processes '
'(e.g., pen-and-paper bag registration, ticketing, and gate '
'assignments). The incident also underscored regulatory '
'discrepancies between the U.S. (piecemeal, sector-specific '
'rules) and Europe (centralized frameworks like NIS2 and '
'GDPR).',
'impact': {'brand_reputation_impact': ['Significant reputational harm to '
'Collins Aerospace, airports '
'(Heathrow, Brussels, Berlin), and '
'airlines'],
'customer_complaints': ['Thousands of affected passengers'],
'downtime': ['Multi-day operational disruptions',
'Manual processes required for bag registration, '
'ticketing, gate assignments'],
'financial_loss': 'Millions of euros (estimated, across airports '
'and airlines)',
'operational_impact': ['217+ canceled flights',
'Extensive delays',
'Terminal congestion due to manual '
'verification',
'Use of two-way radios for gate '
'coordination'],
'systems_affected': ['Collins Aerospace’s Multi User System '
'Environment (MUSE)',
'Airport Passenger Processing Systems '
'(Heathrow, Brussels, Berlin)']},
'initial_access_broker': {'high_value_targets': ['Collins Aerospace’s MUSE '
'system (critical to airport '
'operations)']},
'investigation_status': ['Ongoing (as of latest reports)',
'Confidential under EU NIS2 provisions (no public '
'details from national authorities)',
'RTX Corporation’s internal investigation concluded '
'no material financial impact (per SEC filing)'],
'lessons_learned': ['Supply chain attacks on operational technology (OT) can '
'have cascading, real-time impacts on critical '
'infrastructure.',
'Regulatory fragmentation (U.S. vs. EU) complicates '
'cross-jurisdictional incident response and transparency.',
'Manual fallback processes (e.g., pen-and-paper) are '
'insufficient for modern airport operations during cyber '
'disruptions.',
'Centralized service providers (e.g., MUSE) create force '
'multiplier risks for attackers, enabling single-point '
'failures with wide-reaching consequences.',
'Operational dependency (not corporate HQ location) '
'determines regulatory jurisdiction in the EU and UK.'],
'motivation': ['Financial Gain (Ransomware)',
'Disruption of Critical Infrastructure'],
'post_incident_analysis': {'root_causes': ['Vulnerability in Collins '
'Aerospace’s MUSE system '
'(specifics undisclosed)',
'Supply chain dependency risk in '
'critical infrastructure',
'Lack of resilient fallback '
'systems for OT disruptions']},
'ransomware': {'data_encryption': 'Yes (MUSE system)'},
'recommendations': ['Strengthen supply chain cybersecurity standards for OT '
'systems in critical infrastructure.',
'Harmonize cross-border incident reporting and disclosure '
'requirements (e.g., align U.S. CIRCIA with EU NIS2).',
'Implement mandatory cybersecurity resilience measures '
'for third-party providers serving critical sectors '
'(e.g., air transport).',
'Develop robust manual backup systems and redundant OT '
'architectures to mitigate single-point failures.',
'Enhance public-private coordination for transnational '
'cyber incidents, particularly in aviation and transport '
'sectors.',
'Clarify extraterritorial application of cybersecurity '
'regulations to ensure consistent oversight of global '
'technology providers.'],
'references': [{'source': 'RTX Corporation SEC Form 8-K Filing'},
{'source': 'European Union Agency for Cybersecurity (ENISA) - '
'NIS2 Directive',
'url': 'https://www.enisa.europa.eu/'},
{'source': 'UK National Cyber Security Centre (NCSC) - '
'Aviation Sector Guidance',
'url': 'https://www.ncsc.gov.uk/'},
{'source': 'U.S. Cybersecurity and Infrastructure Security '
'Agency (CISA) - CIRCIA Proposed Rule',
'url': 'https://www.cisa.gov/'},
{'source': 'Belgian Centre for Cybersecurity (CCB)',
'url': 'https://ccb.belgium.be/'},
{'source': 'German Federal Office for Information Security '
'(BSI)',
'url': 'https://www.bsi.bund.de/'}],
'regulatory_compliance': {'regulatory_notifications': ['EU NIS2 Directive '
'(Belgium, Germany, UK '
'equivalents)',
'EU General Data '
'Protection Regulation '
'(GDPR)',
'UK Network and '
'Information Systems '
'Regulations 2018',
'UK Cyber Security and '
'Resilience Bill '
'(forthcoming)',
'U.S. SEC Form 8-K '
'(material incident '
'disclosure by RTX '
'Corporation)',
'Potential U.S. CIRCIA '
'reporting (pending '
'final rule, 2026)']},
'response': {'communication_strategy': ['Limited public disclosure due to EU '
'confidentiality provisions',
'RTX Corporation’s SEC Form 8-K '
'filing (U.S.)'],
'containment_measures': ['Manual processes (pen-and-paper, '
'radios)',
'Isolation of affected systems '
'(likely)'],
'incident_response_plan_activated': ['European Union (NIS2 '
'Directive)',
'National authorities in '
'Belgium (CCB), Germany '
'(BSI), UK (NCSC)'],
'law_enforcement_notified': ['EU-CyCLONe network',
'UK National Crime Agency',
'Potential U.S. agencies (CISA, '
'FAA, SEC)']},
'stakeholder_advisories': ['Limited public advisories due to EU '
'confidentiality rules',
'Airlines and airports likely issued internal '
'operational alerts'],
'title': 'Ransomware Attack on Collins Aerospace’s MUSE System Disrupts '
'Heathrow, Brussels, and Berlin Airports',
'type': ['Ransomware',
'Supply Chain Attack',
'Operational Technology (OT) Disruption']}