Investigation launched after Dublin airport passenger data published online in Collins Aerospace data breach

Ireland’s airport operator daa has launched an investigation after a cyber incident at one of its third-party suppliers, Collins Aerospace, potentially exposed personal information belonging to passengers who traveled through Dublin Airport in August.

The breach, discovered on September 18, involved an IT system operated by Collins Aerospace, a U.S.-based aerospace and defense technology company that provides software used for airport check-in and boarding operations. According to reports, one of the compromised files contained boarding pass data for passengers departing Dublin Airport between August 1 and 31, 2025.

daa, which operates both Dublin and Cork airports, said it was formally notified of the incident by Collins Aerospace on September 18 and immediately reported the matter to Ireland’s Data Protection Commission the following day. On October 17, the operator learned that a cybercriminal group may have published some of the stolen data online.

In a statement, daa said it is “aware of a data security incident involving a third-party supplier, Collins Aerospace,” and confirmed that the issue is under “active investigation.” The company added that it is working closely with the Irish Aviation Authority, the Data Protection Commission, the National Cyber Security Centre, and affected airline partners.

“At this time, there is no evidence of any direct impact on daa systems,” a spokesperson said. “Passengers who travelled in August do not need to take any immediate action but should remain alert to any unusual activity related to their bookings.”

While daa has not disclosed how many passengers were affected, The Irish Times reported that the breach could involve data on “millions” of travelers. Dublin Airport, one of Europe’s busiest aviation hubs, handles more than 100,000 passengers a day, with traffic exceeding 33 million travelers in 2024.

The compromised data reportedly includes passenger names, booking references, frequent flyer numbers, and possibly contact details and travel itineraries. Several airlines, including Swedish carrier SAS, have notified customers whose data may have been exposed. In a message to passengers, SAS said it was informed by Dublin Airport that “an unauthorized party gained access to certain passenger data” linked to August departures, and confirmed it had alerted Sweden’s Authority for Privacy Protection.