The weekend’s chaos at Brussels, Heathrow and Berlin airports has exposed a truth many in the aviation industry would rather ignore: Europe’s airports fly on fragile digital wings, and when they are clipped, the entire system falters.
The culprit was not weather, strikes, or malfunctioning aircraft, but a cyberattack on Collins Aerospace’s MUSE system, the software underpinning check-in, boarding and baggage functions for airlines across the continent.
When hackers forced it offline on Friday, airports reverted to pen-and-paper boarding passes and hand-written luggage tags. These emergency procedures — relics from another era — proved hopelessly inadequate for the scale of modern passenger flows.
No hub was hit harder than Brussels Airport, which was forced to cancel 25 flights on Saturday, 50 on Sunday, and slash half its Monday departures. Berlin Brandenburg and Heathrow fared somewhat better, though queues and delays stretched through the weekend.
Collins, owned by RTX, said it was finalising secure updates, but the delays in rolling them out highlight a structural problem: each airport’s system is customised, so patches cannot be applied uniformly. In the meantime, passengers are left stranded.
Those savvy enough to check in online or travel light escaped the worst. Families with hold luggage or special requirements were less fortunate, stuck in lines snaking across terminal floors.
Airlines now face the bill. EU passenger rights law mandates compensation even when failures lie with a third-party provider. The financial haemorrhage will run into millions, while airports lose revenue not only from lost flights but from shuttered shops and idle concessions.
This is not aviation’s first IT shock. In 2017, a global outage at Amadeus crippled check-in systems worldwide. That same year British Airways’ data-centre failure stranded 75,000 passengers. In 2021, a SITA breach compromised frequent-flyer records.
Each incident was a warning. Each was brushed aside as exceptional. Now, with a deliberate cyberattack on Collins, the pattern is impossible to ignore: aviation’s digital arteries are exposed, and attackers know it.
Brussels has already opened investigations. Regulators will ask whether Collins had adequate defences, how its patching regime failed, and why segmentation was insufficient to prevent one compromise from spreading to baggage and boarding systems.
The likeliest outcome is tighter regulation. Aviation IT providers may soon be classified as critical infrastructure, subject to audits, liability, and certification on par with aircraft safety standards.
The industry now faces a choice. It can continue to concentrate its lifeblood in the hands of a few vendors, relying on outdated contingency plans. Or it can diversify providers, build genuine redundancy, and treat IT with the seriousness once reserved only for engines and airframes.
Anything less invites repetition. Next time the attack may not fall on a weekend in September, but at Christmas or summer peak — when the consequences will be even more chaotic.
For passengers, the hack was an inconvenience. For airlines, it was a costly lesson. For Europe’s aviation industry, it should be a turning point.
In the 21st century, aircraft no longer fly on wings alone. They fly on software, servers, and code. And until those systems are secured and made resilient, every boarding pass printed is a reminder of just how vulnerable our skies have become.
