The airport heist isn’t over, as hackers claim to drop Collins Aerospace data

Published: 12 November 2025
Collins Aerospace data leak

A Russian ransomware gang, which ignited chaos across Europe’s airports last month, allegedly leaked data allegedly stolen from Collins Aerospace.

The Russia-linked ransomware gang has released a dataset for download, claiming it belongs to Collins Aerospace, a technology service provider used by several major European airports to manage check-in and boarding systems.

The company and its MUSE check-in software had been a target of a devastating attack that froze European airports.Reportedly, the incident began on September 19th, when Collins Aerospace reported a “technical issue” to Aviation authorities.

ADVERTISEMENT

A spokesperson from RTX, Collins Aerospace’s parent company, at the time released a statement identifying a “cyber-related disruption” in its Arinc cMUSE software at certain airports, and said that the impact was “limited to electronic customer check-in and baggage drop and could be mitigated with manual check-in operations.”

Days into the airport commotion, ENISA, the European Union Agency for Cybersecurity, confirmed that the automated check-in systems had been disrupted by ransomware.

Later, the gang behind the attack threatened to release extensive passenger data from Dublin Airport in connection with the Collins Aerospace breach. The link to allegedly stolen data was dropped on November 11th. However, the link was later taken down by the gang.

The gang is still selling an Air Arabia database for $2 million. These claims are likely related to the third-party breach that shook the aviation sector.

Collins Aerospace breach
Screenshot of leaked data. Source: Cybernews

What data from Collins Aerospace has been released?

Cybernews researchers have investigated 23GB of allegedly stolen data, reportedly dropped by Collins Aerospace. Among the released files were binaries and supporting files, as well as some diagnostic logs for Collins Aerospace's internal tools.“The currently leaked information may help threat actors to identify vulnerabilities in Collins Airspace systems faster and easier,” our researchers said.

There is also a file with 1.5 million entries containing passenger data. However, the leaked data is limited to names, dates, flight origin, and destination airports.

ADVERTISEMENT

“Based on what the group shared previously in screenshots, it is likely that the uploaded data is only a part of the data they obtained,” our researchers added.

Cybernews has reached out to Aerospace Collins for more details. A response has yet to be received.

Collins Aerospace breach
Screenshot of leaked data. Source: Cybernews

Who is the Everest Group?

The Everest gang first emerged on the scene in July 2021. The most disruptive attack conducted by the gang this year affected the aviation sector.

Just this week, the gang targeted Italian gas giant, SIAD Group. The company confirmed the breach, stating that it has not affected “continuity of operations.”

In September this year, the gang claimed BMW as a victim. It also claimed that it breached a subsidiary of Germany's second-largest bank, DZ Bank, and threatened to release stolen data. However, the bank denied that any such attack had taken place.

In July, the group claimed Mailchimp, the popular email marketing platform, along with a cache of “internal company documents.” However, some security insiders referred to it as “breadcrumbs.”

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Believed to be connected to the BlackByte ransomware group, on May 22nd, Everest set its sights on Coca-Cola’s Middle East division, eventually leaking the data of nearly 1000 employees from the company’s multiple distribution centers.

ADVERTISEMENT

Seemingly part of a broader attack on Coca-Cola Europacific Partners, the world’s largest Coca-Cola bottler, the ransomware group reportedly stole an alleged 23 million records.

Just days after the attack on Coca-Cola, Everest claimed the prominent international private hospital Mediclinic, which has locations in the UAE, the Abu Dhabi Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB).

The gang was also behind the October 2022 attack on AT&T, allegedly offering access to the entire AT&T corporate network, as well as the Radisson Country Inn and Suites hotel chain in fall 2024.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked