Dublin Airport under fire after devastating attack on European airports

Published: 27 October 2025
Last updated: 28 October 2025
Dublin Airport ransomware

Hackers threatening Dublin Airport to spill the data of over a million passengers unless ransomware is paid.

Key takeaways:
  • Russia-linked Everest Group has listed Dublin Airport on its leak site, threatening to publish data unless a ransom is paid.
  • The claims follow Everest’s hit on Collins Aerospace’s MUSE check-in software that disrupted European airports. Daa says its own systems show no direct impact.
  • The ransomware group claims 1,533,900 records are at risk.
  • Alleged stolen data includes names, flight numbers, seat assignments, routes, ticket numbers, frequent-flyer details, and device information used for check-in and boarding, raising risks of identity theft and targeted phishing.
  • Passengers who traveled through Dublin Airport between August 1–31st, 2025
  • Daa is investigating with regulators and airlines and advises August travellers to monitor for unusual booking activity.

Everest Group, the Russia-linked cybercriminal gang behind the ransomware attack, has listed the Dublin Airport in Ireland as a victim on its leak site on the dark web. Dublin Airport handles over 35 million passengers annually and serves over 150 destinations from 40 airlines.

ADVERTISEMENT

The claims come just after the gang claimed a breach of Collins Aerospace and its MUSE check-in software, which is used for check-ins and passenger management. The attack impacted multiple major airports across Europe and caused travel chaos for days.

Daa, the company managing Dublin’s Airport, has confirmed the incident, linking the listing to the breach of their third-party supplier. According to the company, the investigation is ongoing, and it is working with regulators and affected airlines. The data breach might affect passengers travelling through Dublin Airport from August 1st to 31st, 2025.

“At this time, there is no evidence of any direct impact on daa systems. Passengers who travelled through Dublin Airport in August do not need to take any immediate action but should remain alert to any unusual activity related to their bookings,”

Daa's spokesperson said.

“At this time, there is no evidence of any direct impact on daa systems. Passengers who travelled through Dublin Airport in August do not need to take any immediate action but should remain alert to any unusual activity related to their bookings,” said Daa's spokesperson to Cybernews.

1.5 million records at stake

For now, the gang has not released a data sample to back up its claims. The post on their victim’s site includes a timer, showing that the company has five days to contact the cybercriminals before the stolen data is released.

Ransomware gangs often list the victims on their dark web leak sites, attempting to blackmail organizations into paying a ransom or face dealing with a damaging leak of stolen data.

The ransomware group claims to have stolen sensitive passenger data, containing personal and operational flight details. According to the claims, the stolen dataset includes 1,533,900 personal records.

The records reportedly include full passenger names, flight numbers, seat assignments, departure and destination airports, ticket numbers, frequent flyer information, and even details about the devices used for check-in and boarding pass issuance.

ADVERTISEMENT

What data was allegedly stolen from Dublin Airport?

  • Full name
  • Passenger status and description (e.g., adult, child, staff)
  • Frequent flyer airline, number, and tier
  • Free baggage allowance and fast-track eligibility
  • Booking reference (PNR)
  • Airline name and numeric code
  • Flight number and date
  • Departure and destination airport codes
  • Seat number and compartment (class of service)
  • Sequence number and number of segments (connections)
  • Marketing and operating carrier
  • Ticket form and serial number
  • Electronic ticket indicator
  • Boarding pass issuance source and date
  • Document type and issuing airline designator
  • Selectee indicator (used in security screening)
  • International document verification status
  • Baggage tag numbers, including non-consecutive tags
  • Device name, ID, and type used for check-in or boarding
  • Workstation ID and timestamp
  • Departure date and time
  • Barcode format and software version number

The breach could expose travelers’ identities, flight patterns, loyalty program credentials, and digital touchpoints. “This information could be exploited for identity theft, social engineering attacks, and phishing campaigns. It also might bring legal consequences, reputational damage, and loss of trust for the airport itself,” said the Cybernews research team.

Dublin Airport ransomware atatck
Screenshot of the ransomware gang's leak site

Who is the Everest Group?

The Everest gang first emerged on the scene in July 2021. In September this year, the gang claimed BMW as a victim.

The gang also claimed it breached a subsidiary of Germany's second-largest bank, DZ Bank, and threatened to release stolen data. However, the bank denied that any attack took place.

In July, the group claimed Mailchimp, the popular email marketing platform, along with a cache of “internal company documents.” However, some security insiders referred to it as “breadcrumbs.”

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Believed to be connected to the BlackByte ransomware group, on May 22nd, Everest set its sights on Coca-Cola’s Middle East division, eventually leaking the data of nearly 1000 employees from the company’s multiple distribution centers.

ADVERTISEMENT

Seemingly part of a broader attack on Coca-Cola Europacific Partners, the world’s largest Coca-Cola bottler, the ransomware group reportedly made away with an alleged 23 million records.

Just days after the attack on Coca-Cola, Everest claimed the prominent international private hospital Mediclinic, which has locations in the UAE, the Abu Dhabi Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB).

The gang was also behind the October 2022 attack on AT&T, offering alleged access to the entire AT&T corporate network and the Radisson Country Inn and Suites hotel chain in fall 2024.

Updated on October 28th 08:00 GMT with Daa's statement.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked