Anatomy of a Breach

Anatomy of a Breach: Collins Aerospace — Ransomware Grounds Passenger Processing at Heathrow, Brussels, and Berlin Airports

> series: anatomy_of_a_breach —— part: 200 —— target: collins_aerospace_muse —— airports: heathrow_brussels_berlin —— impact: manual_check-in<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2025 13 min read
collins-aerospace muse ransomware airports heathrow aviation everest series
Breach #200

Heathrow. Brussels. Berlin. Passenger processing down. Manual check-in. Ransomware.

In August 2025, a ransomware attack on Collins Aerospace's MUSE passenger processing system disrupted operations at several major European airports including London Heathrow, Brussels Airport, and Berlin Brandenburg. The MUSE system — used by airlines and airports for check-in, boarding pass issuance, flight management, and departure control — was rendered unavailable. Airlines and airports were forced to revert to manual passenger processing.

The attack, claimed by the Everest cybercrime group, spread rapidly across borders because the Collins MUSE system is deployed at multiple airports throughout Europe — a shared platform where a single compromise cascades to every airport using the system. The impact echoed the CrowdStrike outage (2024), where a single vendor's failure grounded flights globally — but this time, the disruption was caused by a deliberate criminal attack rather than a faulty update. Airlines resorted to handwritten boarding passes and manual passenger check-in, creating significant queues and delays — the same fallback procedures seen during the CrowdStrike incident.

Aviation Under Attack
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

One vendor. Multiple airports. Multiple countries. All disrupted simultaneously.

Shared Aviation Systems
Collins Aerospace's MUSE system is used across multiple airports — creating concentration risk where a single vendor compromise affects airports in different countries simultaneously. For UK aviation, <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses shared aviation system security and resilience.
Heathrow Affected
London Heathrow — the UK's busiest airport — was among those disrupted, directly affecting UK travellers and aviation operations. The Collins attack was the second major disruption to Heathrow in two years (after <a href="/blog/anatomy-of-a-breach-crowdstrike-outage">CrowdStrike</a>), reinforcing that aviation IT resilience is a recurring challenge. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors aviation-critical systems.
Manual Fallback Procedures
Airports reverted to manual check-in — handwritten boarding passes and physical processes. While disruptive, the existence and testing of manual fallback procedures limited the safety impact. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response planning including fallback procedure documentation and testing.
Cross-Border Impact
The attack affected airports across the UK, Belgium, and Germany simultaneously — demonstrating that shared vendor systems create cross-border risk that requires international coordination. <a href="/cyber-essentials">Cyber Essentials</a> addresses critical infrastructure vendor security.
Article #200

200 articles. Seventeen years. Aviation keeps getting disrupted. The root causes haven't changed.

Article #200 in this series documents a shared vendor ransomware attack disrupting European airports — a scenario that combines the vendor concentration risk of CrowdStrike (2024), the ransomware against critical infrastructure of Colonial Pipeline (2021), and the aviation disruption of multiple previous incidents. After 200 articles, the controls remain unchanged: penetration testing, Cyber Essentials, SOC in a Box, and incident response.

Aviation Resilience

Article #200. Heathrow, Brussels, Berlin disrupted by ransomware. Is your critical infrastructure resilient?

<a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses vendor and aviation security. <a href="/cyber-essentials">Cyber Essentials</a> provides the baseline. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors critical systems.

Commission a Resilience Assessment Next: Jaguar Land Rover
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 August 2020

Anatomy of a Breach: Garmin — WastedLocker Ransomware Takes Down Aviation, Fitness, and Marine Services

Breach #140. On 23 July 2020, Garmin — the GPS and wearables manufacturer — suffered a WastedLocker ransomware attack that took down virtually all of the company's services: Garmin Connect (fitness tracking for millions of users), flyGarmin (aviation navigation database services used by pilots), Garmin Pilot (flight planning), Garmin Marine (nautical charts), factory production lines, and even the company's call centres and email systems. The outage lasted approximately five days. Garmin reportedly paid a $10 million ransom to the attackers — allegedly linked to Russian cybercrime group Evil Corp, which was under US Treasury sanctions.

ransomware garmin
13 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
All Posts Get in Touch