Dublin Airport operator daa has launched an urgent investigation after learning that a cyber-criminal gang may have accessed a file containing boarding-pass data for every departing passenger in August. The breach, which emerged on 28 October, stems from a ransomware attack on Collins Aerospace, the U.S. company whose MUSE check-in platform is used by several European hubs.
According to daa, the compromised file includes names, flight numbers, seat allocations and frequent-flyer details for up to 3.8 million journeys between 1 and 31 August 2025. While no direct impact on daa systems has been detected, the incident raises serious questions about supply-chain security and the knock-on risk for identity theft and targeted phishing campaigns aimed at travellers and corporate road-warriors.
The airport has notified the Data Protection Commission and Ireland’s National Cyber Security Centre, and is working with affected airlines to assess whether passport or payment data were also exposed. The breach arrives just as Dublin Airport pushes through passenger-experience upgrades—including new C3 security scanners and additional e-Gates—to cement its position as a transatlantic business hub; any perception of lax data controls could undermine that objective.
From a global-mobility perspective, employers with staff who travelled through Dublin in August should alert travellers to watch for suspicious emails and consider credential resets. Immigration advisers also note that data-protection failures can trigger Schengen-wide sanctions if regulators judge the airport’s remediation inadequate, potentially disrupting EU travel flows.
daa says passengers do not need to take immediate action but should “remain vigilant”. The episode is another reminder that mobility managers must extend their risk assessments beyond airlines and airports to include the technology vendors that underpin modern border processing.
According to daa, the compromised file includes names, flight numbers, seat allocations and frequent-flyer details for up to 3.8 million journeys between 1 and 31 August 2025. While no direct impact on daa systems has been detected, the incident raises serious questions about supply-chain security and the knock-on risk for identity theft and targeted phishing campaigns aimed at travellers and corporate road-warriors.
The airport has notified the Data Protection Commission and Ireland’s National Cyber Security Centre, and is working with affected airlines to assess whether passport or payment data were also exposed. The breach arrives just as Dublin Airport pushes through passenger-experience upgrades—including new C3 security scanners and additional e-Gates—to cement its position as a transatlantic business hub; any perception of lax data controls could undermine that objective.
From a global-mobility perspective, employers with staff who travelled through Dublin in August should alert travellers to watch for suspicious emails and consider credential resets. Immigration advisers also note that data-protection failures can trigger Schengen-wide sanctions if regulators judge the airport’s remediation inadequate, potentially disrupting EU travel flows.
daa says passengers do not need to take immediate action but should “remain vigilant”. The episode is another reminder that mobility managers must extend their risk assessments beyond airlines and airports to include the technology vendors that underpin modern border processing.
