Late Friday, 19 September 2025: screens freeze, bag-drops stall, lines snake. By Sunday night (21 Sep) some order returns; by Monday morning (22 Sep), the backlog still bites. What happened? A ransomware hit on the check-in backbone many airports share. Who’s fixing it? Collins Aerospace—part of RTX—says updates are nearly done. But the ripple effects? Still rolling.
What failed—and how it spread
A shared spine with a single weak link
The outage struck MUSE/cMUSE, Collins’ common-use platform that powers multi-airline kiosks, counters, boarding and bag-drops. One vendor, many customers; one breach, many bottlenecks. When MUSE stalls, airports shove passengers back to staffed desks and web check-in—slower, visible, frustrating.
Friday → Monday: the arc of a disruption
Failures began Friday evening and rippled through Heathrow, Brussels, Berlin, and Dublin. By Monday, Collins told partners recovery was “near completion,” yet manual workarounds and rolling delays persisted. ENISA confirmed the culprit: ransomware at a third-party infrastructure provider. Origin? Undisclosed.
How big was the hit?
Airport snapshots—numbers you can feel
- Brussels: 50 Sunday departures scrapped (out of 257), then 60 of 550 flights cancelled Monday; staff processed passengers on iPads and laptops to keep queues moving. Ouch.
- Heathrow: most flights operated, yet ~90% saw delays averaging 34 minutes on Sunday—kiosk loss slows turnarounds even when planes still go.
- Berlin (Marathon weekend!): long lines, widespread manual check-in; the city’s major event added pressure.
- Dublin: minimal impact versus peers, but caution advisories remained.
Market signal
Airline shares (IAG, easyJet, Wizz Air) slipped as investors priced disruption risk. Not a rout—enough to notice.
Why one vendor matters so much
Efficiency vs. concentration—choose your poison
Common-use tech slashes duplication and speeds turns. It also centralises risk. The lesson (re)learned: segment networks, keep offline fallbacks, drill for multi-hub failure. Because failure clusters—especially on Fridays.
What authorities and operators did
Manuals out, laptops up; cyber teams on the line
Airports pivoted to staffed desks and online check-in; some teams processed passengers with ad-hoc tablets. National cyber units (e.g., the UK’s) coordinated with Collins and law enforcement while ENISA tracked indicators tied to the ransomware family. Recovery was staggered, not instant.
Traveler playbook (today, not theory)
Practical moves while systems stabilise
- Check in online and save your pass locally (PDF/screenshot).
- Arrive earlier than usual; manual desks move slower.
- Keep essentials in the cabin (meds, chargers, a spare shirt) in case of misconnections.
- Watch rotations—when aircraft and crews are out of position, delays propagate.
Same weekend, different failure: Dallas
Telecom cut shows fragility rhymes
Across the Atlantic, cut fibre/ISP failures near Dallas–Fort Worth triggered FAA ground stops: 1,800+ delays and hundreds of cancellations Friday. Separate cause, similar outcome—network brittleness meets peak traffic.
Fast timeline
From first freezes to phased recovery
- Fri, 19 Sep — Kiosks fail at multiple EU hubs; manual processing begins.
- Sat, 20 Sep — Cancellations mount; Brussels pares schedules.
- Sun, 21 Sep — Heathrow running, but delays common; Berlin and Dublin affected.
- Mon, 22 Sep — ENISA confirms ransomware; Collins says fixes near completion; Brussels still cutting flights.
Bottom line
One ransomware strike against a shared system became a continent-wide bottleneck. Europe’s biggest hubs coped—barely—by going manual. The immediate fix is landing; the strategic fix is harder: segment, simulate, prepare to fly offline when the lights go out.
