Dublin Airport has confirmed a significant data breach affecting potentially 3.8 million passengers who traveled through the Irish facility during August 2025, following a cyberattack on aviation technology supplier Collins Aerospace. The breach compromised boarding pass data for all flights departing Dublin Airport from August 1-31, 2025, a period during which the airport processed over 3.7 million passengers across more than 110,000 daily passenger movements.
The Dublin Airport Authority (DAA), which operates both Dublin and Cork airports, first learned of the compromise on September 18, 2025, when Collins Aerospace notified them of a breach affecting its IT systems. By September 19, intelligence gathered by airport authorities confirmed that boarding pass information had been published online by a cybercriminal group. Cork Airport officials clarified that none of the compromised data relates to flights through their facility.
The exposed data includes passenger booking references, first and last names, frequent flyer numbers, contact information such as email addresses and phone numbers, and travel itineraries. Airlines including Swedish carrier SAS have sent notifications to affected passengers warning that other booking-related details may have been accessed. However, the breach did not involve passport information, payment card details, or other financial data.
The incident is directly linked to the devastating Collins Aerospace ransomware attack that crippled multiple European airports in September 2025. Collins Aerospace's MUSE (Multi-User System Environment) software, which powers check-in and boarding operations at approximately 170 airports globally, fell victim to HardBit ransomware on the night of September 19, 2025. Dublin Airport was particularly hard hit, with officials confirming they had to rebuild servers "from scratch" with no clear timeline for resolution.
Additionally, the Russia-linked Everest ransomware gang has claimed responsibility for a separate attack on Dublin Airport, threatening to leak data of over 1.5 million records on the dark web unless the airport pays a ransom. This claim includes device information, workstation IDs, timestamps, departure dates and times, and barcode formats.
The DAA immediately reported the breach to multiple authorities on September 19, 2025, including the Data Protection Commission (DPC), Irish Aviation Authority, and National Cyber Security Centre. Graham Doyle, Deputy Commissioner at the Data Protection Commission, confirmed the agency is conducting a full investigation into the breach's scope and impact.
Security experts warn that the compromised information provides sufficient detail for sophisticated phishing campaigns, social engineering attacks, frequent flyer account takeover attempts, and identity theft operations targeting affected passengers.
