Over 1.5 Million Sensitive Records Targeted in Collins Aerospace Data Breach, Hackers Claim

The Everest ransomware group said it is in possession of personal data of more than 1.5 million passengers and thousands of airline employees, claiming that Collins Aerospace, and not ransomware, is responsible for airport shutdowns across Europe.

 

In September, Collins Aerospace was a target of a significant ransomware attack that disrupted its ARINC Multi-User System Environment and the vMUSE self-service software platform used for electronic check-in, baggage management, and boarding at several major European airports, including London Heathrow, Berlin Brandenburg, Brussels, and Dublin.

 

The attack, first detected on September 19, 2025, caused widespread flight delays and cancellations as airport staff had to resort to manual check-in and baggage procedures. The European Union Agency for Cybersecurity (ENISA) confirmed that ransomware was responsible for the outage. The UK’s National Cyber Security Centre (NCSC) worked with Collins Aerospace, the Department for Transport, and law enforcement to assess the situation.

 

While Collins Aerospace did not disclose the identity of the hackers, the Everest ransomware group claimed responsibility for the cyber attack, listing the aviation service provider as a victim on its data leak site.

 

According to Cyberdaily, the ransomware group claims to have exfiltrated three distinct datasets, including 1,533,900 personal records totalling more than 50 gigabytes, a 17.5-gigabyte SQL dump containing information on 3,637 employees from various airlines, and a 50-gigabyte collection of miscellaneous files.

 

The group added that the employee data includes names, usernames, aliases, email addresses, and login activity, along with audit metadata. Passenger information including frequent flyer details, airline affiliations, travel records, and seat numbers were also compromised during the incident.

 

While Everest accused Collins Aerospace of deliberately shutting down systems for an insurance claim, analysis by security firm Hudson Rock suggests that Collins Aerospace was actually hit by two separate attacks concurrently.

 

Britain’s National Crime Agency (NCA) arrested a man in West Sussex on suspicion of offences under the Computer Misuse Act linked to the ransomware attack. The suspect was released on conditional bail, and investigations remain ongoing. Collins Aerospace is yet to publicly disclose the full scope of the attack or whether sensitive data was compromised.