Two ransomware crews hit Collins Aerospace last September. Neither knew the other was there. That stray detail, buried in post-incident reporting weeks after the headlines faded, captures everything wrong with aviation cybersecurity heading into May 2026.
Aviation has become the most actively targeted critical-infrastructure sector by ransomware operators this year. Confirmed incidents at Tulsa International Airport in January, repeat European hub disruptions in April, and a 600% surge tracked by IATA between 2024 and 2025 have brought crews like Qilin, Everest, and Scattered Spider directly to airline IT systems.
Why Aviation Became 2026’s Hottest Ransomware Target
One hour of operational disruption at a major airport costs roughly $1 million, according to industry estimates summarised in IATA’s May 2025 aviation cybersecurity fact sheet. A single shared vendor can sit underneath dozens of carriers and airport authorities at once. Hit one node, and the cascade sweeps across continents within hours.
That cascade is what makes the sector so attractive. Airlines, airports, aerospace manufacturers, ground handlers, reservation platforms, and maintenance providers all share platforms and federated identities. ENISA’s 2025 Threat Landscape report, which catalogued 4,875 incidents across the EU between July 2024 and June 2025, ranked transport second only to public administration as the most-targeted sector.
Three numbers explain the surge:
- 600% rise in aviation-targeted cyberattacks between 2024 and 2025, per IATA tracking.
- 27 significant ransomware incidents recorded across the sector from 22 distinct groups between January 2024 and April 2025.
- 71% of intrusions involved stolen credentials or unauthorized access, mostly through help desk social engineering.
The Collins Aerospace Breach That Took Down Heathrow
The reference incident is still the September 19, 2025 attack on Collins Aerospace’s MUSE passenger-processing platform. RTX, Collins’s parent company, later confirmed the breach involved ransomware. Heathrow, Brussels, Berlin, and Dublin all reverted to manual check-in within hours.
Cancellations and queues told the real-world story. Brussels scrubbed roughly 60 flights out of 550 the following Monday. Berlin reverted to paper boarding passes and ran departure delays of more than an hour. Heathrow processed most flights but warned passengers of slower boarding for carriers reliant on MUSE.
UK reporting attributed to NCSC-UK statements later confirmed that the Everest ransomware group had quietly exfiltrated more than 50GB of data via an exposed FTP server before a second, separate ransomware operator hit the MUSE system itself. Neither crew was aware of the other. Old passwords and a delayed patching response were named as the underlying enablers.
Everest publicly claimed the data theft, posted Collins-attributed files to its dark-web leak site, and reset its countdown clock to October 14 before pushing it out another eight days. No public ransom figure was disclosed.
April’s European Replay: Six Months, Same Wound
Europe got hit again between April 4 and April 6, 2026. Reported disruptions stretched across the United Kingdom, France, Germany, Denmark, Italy, and the Nordics. London Heathrow, Paris Charles de Gaulle, Frankfurt, Copenhagen, and Oslo all logged long manual-process queues at check-in and security. Aviation support software used for check-in, boarding, and baggage handling appears to have been the common failure point.
Public technical attribution for the April wave remains thin. Travel-sector reporting documented tens of thousands of stranded or rebooked passengers and overnight stays across the affected hubs. Whatever the attribution, the pattern repeats the September lesson: the failure point sits one layer beneath the airline brand on the boarding pass.
Tulsa Becomes the Year’s First Confirmed U.S. Airport Casualty
On the U.S. side, Tulsa Airports Improvement Trust disclosed that an unauthorized third party accessed and pulled files from its systems between January 17 and January 20, 2026. The trust’s public notice did not name an attacker or confirm encryption.
Qilin filled in the blanks. Within weeks, the gang posted Tulsa International Airport to its leak site and uploaded sample files allegedly including the airport CFO’s personal contacts, private banking communications with executives outside the airport, employee passport and driver’s license scans, annual budget spreadsheets, NDAs, telehealth reports, governance meeting minutes, insurance documents, tenant databases, and court case filings.
Tulsa’s breach matters less for its operational impact, which was minimal, than for what it signals. It is the airline sector’s first publicly confirmed cyber incident of 2026, and it confirms that mid-sized U.S. airport authorities sit squarely in Qilin’s crosshairs alongside the European hubs.
Scattered Spider’s Help Desk Playbook
The single most active threat actor across the airline sector right now is Scattered Spider. The FBI flagged the pivot in June 2025, and a CISA-led joint advisory updated July 29, 2025 formalized the warning across U.S., U.K., Canadian, and Australian cyber agencies.
https://x.com/FBI/status/1938746767031574565
Mundane and ruthless. A caller impersonates a contractor, asks the help desk to register a new MFA device, and walks straight into a federated identity layer that can span multiple operators. Within weeks of the FBI alert, WestJet (June 13, 2025), Hawaiian Airlines (June 23, 2025), and Qantas had each disclosed cybersecurity incidents that incident responders later linked to Scattered Spider’s tradecraft.
What makes identity intrusion so dangerous in aviation is the scale of damage from a single compromise. If an attacker gains access to a shared service provider or identity layer, the breach can cascade across multiple airlines and airport operators simultaneously. A single successful social engineering call against a third-party contractor’s help desk can hand over keys to systems spanning multiple carriers at once.
Carmakal’s guidance has, in practice, become the working industry standard for airline security teams. He flagged the structural weakness in a LinkedIn post published shortly after the Hawaiian disclosure:
“The industry needs to immediately take steps to tighten up help desk identity verification processes prior to adding new phone numbers to employee or contractor accounts,” wrote Charles Carmakal, CTO at Google Cloud’s Mandiant.
The Cast: Qilin, LockBit, Cl0p And The State-Aligned Crews
PolySwarm’s 2026 aviation threat assessment names the operators worth tracking. Three are profit-driven ransomware families. Four are nation-state or state-aligned crews with espionage or sabotage objectives. Each presents a distinct risk profile against airlines, manufacturers, and aerospace suppliers.
The split looks like this:
| Group | Type | Primary Risk to Aviation |
|---|---|---|
| Qilin | RaaS ransomware | Confirmed Tulsa breach; aggressive 2025-26 affiliate expansion |
| LockBit | Ransomware | Suppliers, manufacturers, MRO providers feeding airline operations |
| Cl0p | Data extortion | Supply chain breaches via shared file-transfer platforms |
| Scattered Spider | Cybercrime, social engineering | Identity intrusion at airlines and IT contractors |
| Refined Kitten (APT33) | Iran-linked | Aerospace manufacturers, defence suppliers |
| Wicked Panda (APT41) | China-linked | IP theft from aerospace and avionics R&D |
| Fancy Bear (APT28) | Russia-linked | Espionage on military aviation and GNSS infrastructure |
GPS Ghosts: When The Cockpit Can’t Trust The Sky
Beyond ransomware, GNSS interference is the second escalating threat. Roughly 900 flights per day were affected by GPS interference globally as of early 2026, and more than 700 flights in Gulf air corridors had logged suspected spoofing events by March.
Spoofing’s mechanics differ from ransomware but the operational consequence rhymes. A counterfeit satellite signal can leave a receiver calculating false positions for hours after the aircraft has left the affected zone. Functions that ride on position and timing data, including RNAV/RNP routing, ADS-B surveillance, automatic navaid tuning, synthetic vision, and terrain awareness systems, can degrade in ways that don’t always trigger an obvious cockpit alert.
The FAA’s updated GPS/GNSS interference resource guide, version 1.1, names the trends and adds new procedural guidance for pilots. EASA and Eurocontrol’s joint GNSS interference action plan covers detection, reporting, and situational-awareness improvements across European airspace.
“While the potential threat to aviation safety from GNSS interference has so far been mitigated by short-term actions such as raising pilot awareness, it is clear that more needs to be done,” said Florian Guillermet, Executive Director of EASA, in the agency’s release accompanying the joint action plan.
The Defensive Playbook Aviation Operators Are Updating Now
Security teams across the sector are now treating shared airport IT platforms as priority single points of failure rather than cost-saving conveniences. Contingency plans for fully manual operations are being tested on a regular cadence, not filed as theoretical documents to gather dust.
Identity verification is the second front. Help desks are moving past simple MFA toward callback verification, in-person hardware token enrolment, and contractor-specific access reviews.
Operators are tightening four areas in parallel:
- Help desk identity verification redesigned to defeat social engineering and SIM-swap attempts.
- Third-party vendor security maturity assessments, with smaller regional suppliers prioritised.
- GNSS interference resilience integrated into route planning for geopolitically sensitive corridors.
- Manual-operations playbooks rehearsed at airport scale, not just at airline scale.
Frequently Asked Questions
Is It Safe To Fly During An Aviation Ransomware Attack?
Yes. Every confirmed 2025 and 2026 incident, including Collins Aerospace, Tulsa, Hawaiian Airlines, WestJet, and Qantas, affected back-office and passenger-processing systems, not aircraft flight controls. Flights operated safely throughout, though check-in, boarding, and baggage handling reverted to manual processes. If your hub is reporting a cyber incident, arrive at least three hours before departure and check your airline’s official status page directly rather than relying on third-party flight trackers.
What Personal Data Did The Tulsa Airport Breach Expose?
Qilin’s leak site posted samples allegedly including employee passport and driver’s license scans, the airport CFO’s personal contact information, banking communications, telehealth reports, NDAs, tenant databases, and court case filings. Tulsa’s official notice did not specify which records were taken. Anyone employed by or contracted to Tulsa Airports Improvement Trust between 2023 and January 2026 should request a free credit freeze with the three U.S. credit bureaus and watch for unsolicited account-recovery emails.
How Do I Know If My Airline Was Hit By Scattered Spider?
Hawaiian Airlines (June 23, 2025), WestJet (June 13, 2025), and Qantas have publicly disclosed cybersecurity incidents linked to Scattered Spider. Affected carriers typically issue customer notices through their official sites and email registered loyalty members directly. If you flew with any of those three airlines in 2025, change the password on your loyalty account, enable hardware-key MFA where supported, and watch for refund-redirect or fake rebooking emails.
Can GPS Spoofing Actually Crash A Plane?
No confirmed crash has been linked to GNSS spoofing as of May 2026. EASA Executive Director Florian Guillermet has stated the interference has disrupted European operations but not endangered flights. Modern aircraft carry multiple navigation backups, including inertial reference systems and ground-based navaids. The greater operational risk is degraded routing, false terrain alerts, and increased pilot workload, particularly across Gulf and Eastern European airspace where spoofing is concentrated.
The pattern across these incidents is plain. The attack surface that matters in aviation is not the carrier name on the ticket but the vendor names that appear nowhere on it. Defenders who understand that, and budget for it, have a chance of staying ahead of the next September.
Disclaimer: This article reports on publicly disclosed cybersecurity incidents and recommended defensive practices in the aviation and aerospace sector. The information is for general awareness only and does not replace formal incident response procedures or vendor-specific security guidance. Aviation operators, airlines, and airport authorities should consult qualified security professionals and follow their national civil aviation authority directives. Figures and attributions cited reflect publicly available reporting as of May 2026 and may evolve as investigations conclude.
Leave a Comment