Collins Aerospace: Old Passwords and Delayed Response Enable Data Theft

New details about the cyber attack on Collins Aerospace: Old passwords enabled data theft, likely millions of passenger data affected, more than just ransomware

(Image: Nuno Andre/Shutterstock.com)

Oct 26, 2025 at 8:23 pm CET

5 min. read

By

Dr. Volker Zota

The cyber attack, which affected air traffic at several European airports at the end of September, is proving to be more complex than initially assumed. While operator Collins Aerospace officially reported a ransomware attack, the hacker group Everest claims to have merely exfiltrated data via an insecure FTP server.

The initial report at the end of September 2025 seemed clear: a cyber attack on Collins Aerospace's passenger processing system "MUSE" had affected operations at airports such as Berlin (BER) and Brussels. The official explanation was ransomware, which led to an emergency shutdown of the systems. However, a differing account from the hacker group Everest now shifts the focus to another, no less serious incident.

Everest's Version: Data theft through a years-old open door

According to its own statements, Everest gained access to an FTP server (ftp.arinc.com) of Collins Aerospace as early as September 10. The credentials used for this were strikingly simple: the username was aiscustomer, and the password was muse-insecure. Particularly explosive: Hudson Rock's security firm analysis traces the compromised credentials back to an infostealer infection from an employee PC in 2022. The fact that this entry point was apparently open for years and simple default passwords were not changed casts a poor light on the company's security culture.

Videos by heise

The group claims to have exfiltrated more than 50 gigabytes of data through this access. The time delay is striking: although the data was copied on September 10, a serious reaction from RTX/Collins Aerospace seems to have occurred only more than a week later. Everest states that negotiations began with an intermediary from Collins Aerospace but broke off between September 18 and 24 – precisely in the timeframe when Collins completely shut down the systems.

Detail of a supposed chat between an RTX employee and Everest — According to Everest, contact was made with a supposed RTX employee even before the shutdown of the boarding systems at the airports.

(Image: Everest)

Potentially Millions of Passengers in Europe Affected

The impact of the data leak is becoming increasingly visible. As the Irish Times reports, potentially millions of passengers who used Dublin Airport in August are affected. The Dublin Airport Authority (DAA) confirmed that boarding pass information from this period was compromised. Airlines such as SAS have already begun informing customers.

German travelers and employees are also likely to be affected. At least, screenshots published by Everest show de-domains and German-language account names. In Germany, primarily Eurowings, Lufthansa City Airlines, Condor, EasyJet, and Ryanair operate through airports such as BER, Cologne/Bonn, and Münster using the MUSE system. It remains unclear how many individuals from the DACH region are included, but it is to be assumed. Identity theft and targeted phishing attacks are conceivable with the stolen data.

Partially anonymized screenshot of FTP access credentials — In a screenshot published by Everest, the supposed FTP entry point is visible; as access credentials with de/eu domains are also included, employees and travelers from German-speaking countries could also be affected by the data theft.

(Image: Everest)

Ransomware Report as Part of Unclear Communication?

On the other hand, there are the official reports that speak of a ransomware attack. For example, the parent company RTX reported such an incident in a mandatory filing with the US Securities and Exchange Commission (SEC). This statement is supported by the British National Cyber Security Centre (NCSC). Its director, Dr. Richard Browne, stated according to a report by Cyber Daily on September 23 that the NCSC is aware of both the attacker and the malware strain used.

However, the term ransomware is not always used precisely. While it often implies encryption by malware, companies also use it in their public communications for incidents where data is merely stolen and extortion is threatened through deletion or non-publication. From this perspective, the official report from Collins/RTX could be technically correct but misleading. The late reaction – the FTP access was only closed a week after the data exfiltration – suggests internal communication problems or incompetent handling of the incident. Instead of assuming two parallel attacks, it could therefore be a single, but poorly managed incident, where the emergency shutdown of the systems was a late measure to regain control and assess the extent of the damage.

New countdown on Everest darknet page — After an initial countdown expired, the cyber gang Everest has now set a new deadline. Collins Aerospace now has about a week left for negotiations.

(Image: Screenshot heise medien)

Everest itself explicitly distances itself from any ransomware activity. On their page in the Tor network, it says verbatim:

"Our current position on ransomware: Our group does not use or distribute ransomware. Many are aware that we have not used ransomware for many years and have not announced any plans to do so in the future."

This distinction would fit the group's strategic shift in recent years, which, according to reports, now acts more as a specialized initial access broker. Nevertheless, one must ask to what extent the statements of cybercriminals can be trusted. The lack of transparency from Collins Aerospace towards its partners is meanwhile substantiated by research from IT security expert Kevin Beaumont. He wrote on Mastodon that at least one of the affected airlines had not been informed about the theft of its data.