Ransomware Hits the Skies: Hackers Claim Dublin Airport Data in 1.5 Million-Record Heist

A cyberattack that disrupted check-in systems across European airports last month appears to have deeper roots. The Everest ransomware group has claimed responsibility, saying it stole more than 1.5 million passenger records from systems operated by Collins Aerospace, a subsidiary of RTX Corporation that provides the shared MUSE check-in platform used by major hubs.

The group posted a sample on its dark-web site listing passenger names, flight numbers, frequent-flyer tiers, ticket serial numbers and device identifiers, adding that the full dataset totals 1,533,900 records. The attackers said the information was taken from servers connected to airport operations, including boarding-pass and baggage-tag data. Collins Aerospace has not publicly commented on the claim.

The disclosure follows a system outage in mid-September that forced airports such as Heathrow, Brussels and Berlin Brandenburg to revert to manual check-in after their shared system went offline. At the time, Collins described the disruption as a cyber-related event, while later technical analyses linked it to a ransomware intrusion affecting its infrastructure. Investigators said the attackers appeared to exploit an exposed FTP server using legacy credentials before moving laterally into production environments.

The Dublin Airport Authority, which operates Dublin and Cork airports, said it had been notified of a supplier incident involving Collins and was working with Ireland’s data-protection regulator. The authority said the affected file appeared to contain boarding-pass data from August 1-31 and that no evidence suggested its own systems were breached, according to a statement.

Researchers tracking the Everest group say the gang has recently targeted aviation and logistics providers to harvest booking and passenger metadata. In this case, the posting references Dublin Airport specifically, though analysts reviewing the listing said the structure of the records indicates it originated from a broader vendor environment supporting multiple airports.

Security experts warn that the leaked information-if authentic-could be used for phishing and identity-theft schemes, particularly against frequent flyers and airline staff. Because MUSE functions as a multi-tenant platform for dozens of airlines, a compromise at the vendor level creates a supply-chain risk extending well beyond a single carrier.

Observers note that the Collins Aerospace breach underscores how modern airport IT ecosystems rely on shared third-party software, creating single points of failure when vendors are compromised. Regulators under the EU’s NIS2 directive are expected to review whether aviation technology suppliers meet the same cyber-resilience standards required of critical-infrastructure operators.