European Airports Hit by Ransomware: Third-Party Vendors as Attack Vectors

On September 20, 2025, a cyberattack disrupted passenger check-in and baggage systems at multiple European airports after Collins Aerospace’s MUSE software experienced a “cyber-related disruption.” Airports reporting impact included London Heathrow, Brussels, Berlin, Dublin and Cork. Airlines reverted to manual check-in and baggage handling, resulting in long queues, delays, and cancellations. Brussels Airport stated that it requested airlines to cancel half of their Sunday departures to manage passenger flow. The European Commission said there was no indication of a “widespread or severe attack,” and investigations were ongoing.

By September 22, the European Union Agency for Cybersecurity (ENISA) confirmed that the incident involved ransomware affecting a third-party provider of Collins Aerospace. The UK NCSC stated that it was working with Collins and the affected airports. Reporting noted gradual improvement at some hubs, with Heathrow stating most flights continued to operate while recovery work progressed.

This incident matters beyond national borders. Airports are not only a national critical infrastructure. They are also international logistics hubs that interconnect airlines, border agencies, ground handlers, suppliers and trade routes across countries. Disruption at a shared software provider can easily ripple through that network and cause devastating consequences.

Kevin Beaumont, a cybersecurity specialist, followed and analyzed the attack on their account on the Mastodon server cyberplace.social, and found that attackers likely exploited weaknesses in that vendor’s remote access, which gave them a path into the systems supporting MUSE.

Third-Party Vendors as an Attack Vector

The confirmed ransomware attack against a third-party provider supporting Collins Aerospace’s MUSE platform highlights how attackers are increasingly targeting vendors that sit in the operational path of multiple enterprises simultaneously. Compromising a shared service becomes a force multiplier. ENISA’s statement that a third-party provider was targeted places this event squarely in the broader trend of supply chain abuse.

Cynthia Kaiser, former deputy assistant director of the FBI Cyber Division, contextualized the risk and the response organizations need to prioritize by saying, “There’s a whole swirl around third-party services that we’re going to have to wrap our heads around, identify how we can better segment, better create blocks against.”

Her point aligns with two lessons from the incident:

1. Shared software becomes a single point of failure. The MUSE platform supports passenger processing across multiple airports, so disruptions in one vendor’s environment can force many airports to revert to manual processes simultaneously. That reality multiplied delays and made recovery coordination more complex across hubs and carriers.

2. Network segmentation and isolation are essential. The goal is to ensure that a vendor compromise cannot become a pathway into critical operational zones. Hardware-enforced separation and strict policy controls reduce the blast radius when a third party is affected.

How hardware-enforced isolation mitigates third-party risk

At DataFlowX, we take a different approach to cybersecurity—one that assumes compromise and builds security from the inside out. Our architecture is grounded in Zero Trust, enforced through military-grade, diode-based isolation technologies. We believe that critical systems should never rely solely on software-based defenses. Instead, protection must be physically enforced, protocol-aware, and designed to contain threats before they spread.

This principle of proactive segmentation underlies our entire product suite. In the context of third-party risk and vendor exposure, our solutions help organizations:

• Prevent ransomware and unauthorized commands from entering through trusted connections

• Restrict lateral movement across segmented operational zones

• Validate external inputs before they touch sensitive environments

• Ensure visibility and policy control at every data transfer point

Our solution suite forms an ecosystem that enforces hardware-backed segmentation, limits vendor trust to the absolute minimum, and maintains operational continuity even when the external environment is compromised.

• DataDiodeX: A diode-based unidirectional gateway that allows data to exit protected networks, such as log exports or telemetry, without allowing any inbound data, blocking malware and remote control attempts.

• DataBrokerX: A policy-enforced, protocol-filtering cross-domain gateway for controlled two-way communication, enabling operations like remote diagnostics or secure data sync without exposing internal systems to full external access.

• DataStationX: A secure upload kiosk that inspects and sanitizes removable media such as USB drives for vendor-supplied updates before allowing files into the internal network, eliminating one of the most exploited attack paths.

• DataSecureX: An advanced file analysis and sanitization platform that uses multi-engine detection, AI-enhanced sandboxing, and YARA rule enforcement to detect and neutralize malware, including ransomware, before it can propagate.

Ransomware will continue to target third-party services that connect to multiple customers simultaneously. The lesson is to design for containment by segmenting by function and criticality. Validate what crosses boundaries. Assume a vendor can be compromised and build physical and protocol controls that keep the blast radius small.

Contact our expert team today to book a demo session and explore how you can protect your systems against similar attacks.