Overview
On 19 September 2025, a ransomware attack struck Collins Aerospace, a critical IT supplier for airlines. The incident affected check-in and bag-drop systems across multiple European airports, including London Heathrow.
While flights continued, automated passenger-processing systems were degraded, forcing airports to revert to manual handling. The disruption led to significant delays, long queues, and some flight cancellations.
The European Union Agency for Cybersecurity (ENISA) has confirmed the attack as ransomware. Collins Aerospace has begun restoring services, but full recovery is still ongoing.
What Happened?
Key details from the incident:
- Targeted Supplier Systems: Collins Aerospace’s check-in and bag-drop solutions, widely used by airlines and airports, were encrypted by ransomware.
- Geographic Impact: Disruptions were reported at Heathrow, Brussels, Berlin, and other airports, demonstrating the widespread reliance on this vendor.
- Operational Consequences:
- Automated check-in kiosks and bag-drop systems were knocked offline.
- Airports implemented manual processing, causing long queues and missed connections.
- Brussels Airport canceled dozens of flights at the peak of the incident; Heathrow warned passengers of longer wait times.
- Attribution & Threat Actor: No group has claimed responsibility yet. Investigations are ongoing, but experts assess this as a financially motivated ransomware campaign.
- Status Update: Collins Aerospace reports that systems are in the final stages of recovery, though residual delays remain.
Why This Matters for Aviation
This attack underscores systemic risks in aviation’s digital ecosystem:
- Supply Chain Dependency: A single vendor compromise disrupted operations across multiple airports, proving the fragility of interconnected passenger services.
- Operational Resilience Gaps: While flights were not grounded en masse, reliance on manual fallback showed the lack of redundancy in core passenger-processing systems.
- Passenger Trust and Experience: Heathrow and other hubs faced reputational risks as travelers encountered long lines and uncertainty, highlighting the direct business impact of cyber incidents.
- Regulatory Oversight: With ENISA confirming ransomware, both UK NCSC and EU aviation regulators are expected to push for stronger resilience and supplier assurance.
- Trend Indicator: Ransomware actors increasingly target aviation suppliers rather than airlines directly, exploiting concentration risks for maximum disruption.
Recommended Actions
To strengthen resilience against similar supply-chain cyberattacks, aviation stakeholders should consider:
Supplier Assurance
- Demand formal post-incident reports from Collins Aerospace, including root cause, exploited vectors, and recovery measures.
- Require security certifications and SBOM transparency for all critical aviation IT vendors.
Operational Readiness
- Maintain and drill manual check-in and bag-drop playbooks to ensure rapid fallback during IT outages.
- Pre-stage additional staff and resources during recovery phases to reduce bottlenecks.
Technical Defenses
- Share and monitor Indicators of Compromise (IOCs) once disclosed by ENISA or NCSC.
- Validate network segmentation and incident containment plans for third-party connections.
Passenger Communications
- Enhance real-time information sharing through apps, signage, and social channels.
- Proactively inform passengers to arrive earlier and check in online when possible.
Sector-Wide Exercises
- Conduct airport-wide resilience drills simulating third-party ransomware attacks.
- Include airlines, ground handlers, and regulators to test coordination under pressure.
In Summary
The Heathrow cyberattack illustrates how third-party ransomware can ripple through aviation, disrupting critical passenger services across multiple airports. Even without mass flight cancellations, the operational, reputational, and regulatory consequences are significant.
Airports, airlines, and regulators must treat supply-chain resilience as a top priority, demanding stronger assurance from IT vendors and preparing robust fallback procedures.
Where aviation relies on digital trust, ransomware actors now seek to break it – not at the airline level, but at the supplier core.
