The weekend of September 19 to 20, 2025, marked an unprecedented episode in the recent history of European aviation. A massive wave of delays, cancellations, and long queues took over several international airports, affecting tens of thousands of passengers and generating chaos that lasted for several days. The culprit was a ransomware cyberattack targeting Collins Aerospace, one of the leading global providers of check-in and boarding systems, owned by the American giant RTX (formerly Raytheon Technologies).
This cyberattack not only exposed the fragility of technological infrastructure in a sector as vital as air transport but also highlighted the new forms of digital threats that go beyond the virtual sphere to tangibly impact daily life and the global economy. However, the growing dependence on technology in critical sectors has not been matched by adequate preparation to mitigate such risks, making cyberattacks like this mandatory lessons for governments, companies, and users.
Below, together with the experts from ITD Consulting, we explore in depth the origin of the cyberattack, its consequences, the response of the authorities, the possible perpetrators, and the lessons for the future of cybersecurity in Europe and the world.
The context prior to the cyberattack: The importance of Collins Aerospace in global aviation
Collins Aerospace is a key player in the aerospace and defense industry. Founded from the merger of technology companies specializing in aeronautical systems, it provides comprehensive solutions for air traffic control, communications, navigation, and—especially relevant in this case—automated systems for passenger check-in and boarding at airports.
Its systems are used in dozens of airports worldwide, making the company a fundamental link in ensuring the smooth and secure operation of airport processes. The automation of these processes is vital for handling the high volume of passengers passing daily through international terminals, where time and precision are essential. However, this same technological dependency can become a significant risk when systems fail or are compromised.
Moreover, Collins Aerospace holds contracts with major airports and airlines, including some of the busiest in Europe, meaning that a failure in its systems does not only affect one region but can cause a domino effect impacting flights, connections, and logistics chains across the entire continent. This level of dependency reveals a systemic vulnerability that demands urgent attention.
Timeline and nature of the cyberattack: From code to chaos on the ground
On the night of September 19 to 20, a ransomware cyberattack managed to infiltrate the systems of Collins Aerospace that manage check-in and boarding at several European airports. The systems were encrypted, blocking access to information and paralyzing automation.
This cyberattack not only froze digital operations but also caused an immediate effect on the ground, where passengers faced long queues and manual procedures that delayed the entire normal flow. This forced the affected airports to revert to manual procedures, slowing down the process and creating a massive bottleneck.
Brussels-Zaventem Airport was one of the most affected by the cyberattack, with reports of mass cancellations and endless lines. Other airports, such as Berlin-Brandenburg and Heathrow, also experienced significant delays and extended waiting times, which had a major impact on both passengers and airlines that had to reorganize their schedules.
Manual operations, although effective as a temporary measure, do not have the capacity to handle the normal flow of passengers, which amplified the disruption. Berlin-Brandenburg Airport initially avoided classifying the incident as a cyberattack, instead calling it “technical problems in a system provider that operates throughout Europe,” in an attempt to minimize panic. However, the evidence and coordination between agencies confirmed the seriousness of the attack.
Additionally, airport operators had to implement contingency measures, such as the early cancellation of flights to avoid a total collapse, affecting not only travelers but the entire associated logistics chain, including suppliers, airlines, and related services. These preventive measures, although necessary, left thousands of passengers stranded and disoriented due to the cyberattack.
Direct impact of the cyberattack on passengers and the air transport economy
The human impact of the cyberattack was considerable. In Brussels, approximately 35,000 passengers suffered delays, flight cancellations, or disruptions, facing long waits and a lack of clear information in a high-stress environment. Testimonies such as that of Marta González, a passenger whose flight to Madrid was canceled with no immediate rebooking option, show the difficulties and lack of preparedness in facing such a scenario.
The absence of rapid solutions or effective communication during a crisis caused by the cyberattack generates frustration and loss of trust in the institutions involved. Data from the FlightAware tracker reflects the magnitude of the problem: around 100 delays at Heathrow, 70 in Brussels, and 15 in Berlin over the weekend.
This also has economic consequences for airlines, airports, and the tourism industry, which suffer multimillion-euro losses due to the disruption of operations from the cyberattack. The cancellation or delay of flights generates additional costs in fuel, personnel, accommodation, and passenger compensation, not to mention reputational damage that is difficult to quantify due to the ransomware attack.
In addition, the image of European airports and public trust were damaged, generating a perception of technological insecurity that could influence travel decisions and the sector’s reputation. In a context where competition between airports and airlines is fierce, these cyberattack-related incidents can lead to customer loss and decreased revenue in the medium and long term.
Repercussions in other sectors: The supply chain at risk
This cyberattack was not an isolated event. Just days earlier, Jaguar Land Rover, the largest car manufacturer in the United Kingdom, announced that it was extending the closure of its factories until October due to a cyberattack that paralyzed its operations. Although this incident is not directly linked to the attack on Collins Aerospace, it highlights a growing trend of cyberattacks affecting strategic economic sectors in Europe.
The technological interconnection between suppliers, manufacturers, and key services exposes the supply chain to greater risks, as a targeted cyberattack can have repercussions that extend beyond the initial target. For example, the shutdown of automotive plants due to a cyberattack affects not only production but also parts suppliers, distributors, and the associated labor market.
This scenario, vulnerable to cyberattacks, becomes a complex challenge for the economy, where technological and organizational resilience is key to preventing isolated incidents from becoming systemic crises that impact society as a whole.
Ransomware profile: An invisible and persistent enemy
Ransomware is a type of malware that has rapidly evolved over the last decade. It works by infecting IT systems and encrypting crucial data, then demanding a ransom payment in exchange for the key to unlock the information.
This type of cyberattack is characterized by high technical sophistication. Cybercriminals use advanced methods to avoid detection and spread quickly within complex networks, exploiting vulnerabilities or poor configurations. Moreover, this type of cyberattack often operates in the shadows, using the dark web to communicate and demand ransoms, making their location and prosecution more difficult.
The pressure strategies of cyberattacks not only include encryption but also the leak of stolen data to increase pressure on the victims. This dual threat means that organizations are often trapped between paying the ransom or facing even greater reputational and legal consequences.
In addition, ransomware groups carefully select their targets. Many avoid attacking high-profile critical infrastructures to avoid severe legal reprisals, preferring medium-sized companies that can pay without attracting too much attention. However, the cyberattack on Collins Aerospace breaks with these norms by directly impacting a critical and visible sector, generating disruption that attracted immediate international attention and challenged regional security.
The Investigation: Arrest in the UK and Open Lines
In response to the cyberattack, the UK’s National Crime Agency (NCA) arrested a man in West Sussex on September 23, suspected of being connected to the incident. The individual, in his 40s, was released on conditional bail while investigations continue, in a process aimed at unraveling the complex network behind the cyberattack.
Paul Foster, Deputy Director of the NCA, described the arrest as a “positive step” but emphasized that the investigation into the cyberattack is still in its early stages, with no confirmation yet regarding the perpetrators or the full extent of the criminal network involved. Authorities are working in coordination with international agencies to trace connections and gather digital evidence to advance prosecution efforts.
The European Union Agency for Cybersecurity (ENISA) has also confirmed the cyber nature of the incident and is working alongside national authorities to analyze the cyberattack and strengthen Europe’s defenses. Its role will be key in promoting common cybersecurity standards and improving the capacity to respond to cross-border threats.
Who's Behind It? The Shadow of Pro-Russian Groups
Although there has been no official claim of responsibility or conclusive evidence, the pattern and context suggest possible involvement of cybercriminal groups linked to Russia or pro-Russian sympathizers. These groups have carried out similar cyberattack campaigns in recent years, including denial-of-service attacks targeting infrastructure in Germany (2023) and Italy (2024), aimed at disrupting services without directly attacking critical infrastructure.
The strategic objective of the cyberattack would be twofold: to destabilize and erode European trust by affecting essential public and private services, projecting an image of vulnerability and disorganization. In addition, the cyberattack would seek to generate economic and logistical costs that affect response capacity and cause political and social strain in the affected countries.
Such cyberattacks fall within the scope of hybrid warfare, where cyberspace becomes a crucial battleground for influencing politics and public opinion without resorting to conventional violence. The complexity of these operations makes direct attribution difficult, which complicates both diplomatic and law enforcement responses.
Social and Political Impact: Beyond Technology
The effects of the cyberattack went beyond the technical and economic realm, reaching social and political dimensions. In a Europe still strained by geopolitical conflicts and security challenges, such cyberattacks are also interpreted as warning messages and tests of resilience in the face of unconventional threats.
European governments are facing increasing pressure to enhance their cyber defense capabilities, promote international cooperation, and protect both public and private infrastructure. This involves significant investments in technology, training, and multilateral coordination.
For citizens, the crisis generated distrust in the safety of essential services and in the authorities’ ability to respond. The lived experience exposed the need for greater transparency, effective communication, and cybersecurity education to prepare users for similar situations.
Risk Mitigation Strategies: Lessons Learned and Recommendations
This cyberattack highlights the urgent need to review and strengthen cyber defenses in critical infrastructure. Below are key measures recommended for organizations and governments to counter cyberattacks:
1. Strengthening Corporate Cybersecurity
Companies that provide critical services must adopt a comprehensive security policy, including ongoing security audits to detect vulnerabilities. Network segmentation is essential to limit the reach of potential cyberattacks and prevent an incident from spreading across the entire system. Constant updating of systems and security patches is also crucial to close any open doors to attackers. Finally, training and awareness programs for staff are fundamental, as human error is one of the main entry points for malware-based cyberattacks.
2. Incident Preparedness and Management
Having contingency plans that allow for a quick and coordinated response in the event of cyberattacks is crucial to minimize operational impact and facilitate recovery. Regular drills and clear definition of roles and responsibilities ensure that all actors involved in the cyberattack know how to act in a crisis.
3. Public-Private Cooperation
Governments and companies must work together to share threat intelligence, coordinate responses, and establish common action protocols in the face of cyberattacks. This collaborative approach increases early detection capacity and the effectiveness of preventive measures.
4. Legislation and Sanctions
Promoting regulatory frameworks against cyberattacks that require companies to comply with minimum cybersecurity standards—and that impose strong penalties for negligence that puts national or public security at risk—is essential to raise the overall level of protection.
5. Investigation and Prosecution
Strengthening law enforcement and judicial capacities to investigate and sanction those responsible for cyberattacks—both nationally and internationally—through the promotion of multilateral agreements is indispensable to deter future criminal actions.
The Future of Cybersecurity in the Aviation Sector and Critical Infrastructure
The cyberattack on Collins Aerospace is a clear wake-up call: digitalization, while offering enormous benefits in efficiency and connectivity, also creates new vulnerabilities that can be exploited by malicious actors.
For the aviation sector, this implies a cultural transformation that integrates cybersecurity as a central element in all processes, from design to daily operations. Investment in secure technology, resilience to incidents, and continuous training will be decisive in ensuring operational continuity and the trust of users and regulators.
Likewise, international cooperation will be key to anticipating and neutralizing cyberattacks that know no borders, ensuring the security and continuity of air transport, which is vital to the global economy and society.
The development of new technologies, such as artificial intelligence and predictive analytics, also promises to enhance the ability to detect and respond rapidly to attacks before they cause significant damage. However, these tools must be implemented with ethical and privacy criteria that respect the rights of all users.
The cyberattack of September 2025 against Collins Aerospace is an episode that will remain etched in the history of aviation and cybersecurity. Beyond the chaos and economic losses, this cyberattack is a clear example of how digital security has become a fundamental pillar for social and economic stability.
The crisis caused by the cyberattack revealed the high dependence on critical technological infrastructures and the urgent need to implement robust strategies that minimize risk and increase the capacity to respond to cyber incidents. While globalization and digitalization have improved the efficiency and connectivity of essential sectors, they have also opened new doors for crime and sabotage.
Moreover, this incident showed that modern cyberattacks are not merely isolated IT crimes, but acts with deep geopolitical, economic, and social implications. Their complexity and the context in which they occur require States, companies, and civil society to act with maximum coordination, investment, and commitment to protect critical infrastructure.
This cyberattack should serve as a catalyst to accelerate the transformation in digital security, fostering a culture of prevention, cooperation, and resilience that prepares Europe—and the world—to face the technological challenges of the future. Security can no longer be a secondary concern; it must be integrated as a strategic element essential to the continuity and stability of our societies.
Finally, for the affected users and travelers, this experience leaves a lesson about the importance of patience, early planning, and constant verification of information in times of technological crisis. If you want to know more about how to protect yourself from potential cyberattacks, write to us at [email protected]. We have a team of experts ready to offer tailored solutions for your needs.
EN 
ES