The Heathrow–Europe Airport Cyberattack: What Happened, Impact, Cost, and How to Respond

A ransomware attack on Collins Aerospace’s MUSE check-in and boarding software started late Friday, 19 September 2025. Automated check-in and bag-drop systems went down across multiple European airports. Heathrow, Brussels, Berlin, and Dublin saw the brunt of delays and cancellations while many airlines switched to manual processing. Regulators say the root issue sits with a third-party vendor, not airport infrastructure. Early, conservative cost modelling points to low-eight-figure direct airline costs over the first 72 hours, not counting reputational and knock-on losses.

The incident in one page

What failed. Collins Aerospace’s cloud-based MUSE platform that powers airline check-in, boarding, and some baggage functions at multiple airports. The European Union Agency for Cybersecurity (ENISA) confirmed it as a ransomware event.

When it started. Evening of Friday, 19 September 2025. Disruption continued through the weekend and into Monday, 22 September.

Who was hit. Heathrow, Brussels, Berlin Brandenburg, and Dublin reported material impact. Heathrow said most flights operated but with manual processing in parts of the operation. Brussels cancelled dozens of flights and warned of continued disruption. Berlin faced queues during marathon weekend traffic. Dublin reported ongoing delays in Terminal 2.

Current status at time of writing. Collins said it is close to completing updates and restoring normal service. National cyber agencies, including the UK NCSC, are working with airports and Collins.

Timeline and operational picture

Friday night, 19 Sep: Automated check-in and boarding functions drop offline. Airports pivot to manual check-in and paper boarding while Collins investigates.

Saturday, 20 Sep: Heathrow warns of delays. Brussels and Berlin confirm manual processing. The NCSC coordinates with Collins and UK airports.

Sunday, 21 Sep: Brussels cancels ~50 of ~250–276 departures and asks airlines to reduce schedules for Monday. Heathrow reports widespread but mostly sub-hour delays. Dublin sees a second day of disruption in T2.

Monday, 22 Sep: Fourth day of disruption. Heathrow mostly running, still pockets of manual processing. Brussels continues to cancel flights. Collins says fixes are nearly complete.

Scale of impact

Flights and delays

Heathrow: On Sunday, delays reportedly affected ~90% of 350+ flights, with average delay ~34 minutes. Cancellations were limited compared to Brussels.
Brussels: 45–60 cancellations on Sunday alone depending on the reporting cut-off, with continued cancellations into Monday.
Berlin and Dublin: Significant queues and manual processing. Dublin highlighted ongoing T2 baggage and check-in issues.

Passenger experience

Long lines at check-in and bag-drop.
Gate changes and last-minute delays as airlines manually reconcile passengers and bags.
Increased misconnections where manual processes slowed turnarounds.

How much did it cost?

There is no official consolidated loss figure yet. We can build a conservative model from public delay and cancellation data using Eurocontrol’s standard economic inputs.

1) Delay costs.

Eurocontrol’s recommended tactical delay cost with network effect averages roughly €166 per minute at-gate across aircraft types. That figure already includes knock-on delays elsewhere in the network.

Using the Guardian’s Heathrow snapshot for Sunday alone: ~315 delayed flights (90% of 350) × 34 minutes ≈ 10,710 delay-minutes.

Multiply by €166/minute gives ≈ €1.8 million in direct airline delay cost for that Heathrow day, before passenger compensation, overtime, and extra handling.

2) Cancellation costs.

Eurocontrol’s on-the-day cancellation cost ranges roughly €16.6k–€25.7k for narrow-bodies and €85.6k–€123.9k for wide-bodies, with a system-wide average alternative of ~€20.9k per cancellation. Brussels reported dozens of cancellations on Sunday and further into Monday, so a day with, say, 50 cancellations could imply €1.0–€1.3 million on the conservative average, and far more if a material share were wide-bodies.

3) Passenger compensation exposure (EU261/UK261).

For delays ≥3 hours and cancellations, airlines may owe €250–€600 per passenger depending on distance and rerouting. Not every disrupted passenger qualifies, but for long-haul or missed connections the exposure climbs quickly.

Working range.

Across Friday night to Monday and across the four most affected hubs, a low-eight-figure combined airline cost is plausible when you add delay minutes, cancellations, care and accommodation, rebookings, and compensation exposure. This is in line with Europe’s historically high delay economics where network effects amplify initial outages. Treat this as a preliminary range, pending airline disclosures and insurer reports.

Root cause and lessons learned

Third-party concentration risk.

A single vendor outage created correlated operational risk across airlines and airports. ENISA says the event was a ransomware attack, and Collins confirms MUSE was the affected system. This is textbook single point of failure in the passenger-processing chain.

Why the manual fallback hurts.

Manual check-in works, but it is slow. It increases at-gate delays, inflates turnaround times, and creates reactionary delays across the network. These are precisely the cost categories Eurocontrol prices highly in its delay models.

Regulator posture.

The European Commission monitored the situation. The UK’s NCSC engaged with Collins and airports. Expect deeper scrutiny of software supply-chain controls and service-level recovery obligations for critical aviation IT.

What this really means for airports and airlines

1. Vendor due diligence is not enough. You need technical assurance, not just questionnaires. Demand proofs of isolation, recovery time objectives backed by tested runbooks, and ransomware-ready architecture for SaaS critical to operations.

2. Assume breach at the vendor. Build controls that contain a vendor failure: identity boundaries, network segmentation, and traffic policing between your estate and the vendor’s.

3. Practice manual operations as a designed mode. Treat “manual day” like a planned exercise with staffing rosters, signage packs, pre-printed fallback barcodes, and battery-powered scanners.

4. Instrument the fallback. Even during manual ops, you can capture enough data to restart automated reconciliation quickly once systems return.

5. Align EU261/UK261 readiness. Pre-stage compensation workflows and hotel/meal care contracts so passenger care does not stall gates.

Don’t Let Cyber Attacks Ruin Your Business

Certified Security Experts: Our CREST and ISO27001 accredited experts have a proven track record of implementing modern security solutions
41 years of experience: We have served 2600+ customers across 20 countries to secure 7M+ users
One Stop Security Shop: You name the service, we’ve got it — a comprehensive suite of security solutions designed to keep your organization safe

Book Your Free Consultation Call Now

UK:

+44 (0)20 3336 7200

KSA:

+966 1351 81844

UAE:

+971 454 01252

Call
UK: +44 (0)20 3336 7200
KSA: +966 1351 81844
UAE: +971 454 01252

Contents

The incident in one page
Timeline and operational picture
Scale of impact
How much did it cost?
Working range.
Root cause and lessons learned
What this really means for airports and airlines

To keep up with innovation in IT & OT security, subscribe to our newsletter

Thank you

Our team of industry domain experts combined with our guaranteed SLAs, our world class technology .