An investigation has been launched into a major data breach involving passenger boarding passes issued for flights departing Dublin Airport during August, potentially affecting hundreds of thousands of travellers.
The incident relates to data held by a third-party supplier, Collins Aerospace, which provides services to daa — the operator of Dublin and Cork airports. According to daa, a file containing boarding pass data from 1 to 31 August 2025 was found on a compromised server, raising concerns that sensitive passenger information may have been exposed.
While the exact number of people affected has not been confirmed, RTÉ News understands the breach could involve data from hundreds of thousands of passengers. In August alone, 3.8 million passenger journeys were made through Dublin Airport.
daa confirmed it was alerted to the potential exposure last Friday after receiving information suggesting that a cyber-criminal group may have published the file online. The airport operator reported the incident to the Data Protection Commission (DPC) on 19 September, following notification from Collins Aerospace about a compromise in its IT systems.
“daa is aware of a data security incident involving a third-party supplier, Collins Aerospace,” a spokesperson said. “The matter is under active investigation, and we are working closely with our regulators — the Irish Aviation Authority (IAA), the Data Protection Commission (DPC), and the National Cyber Security Centre (NCSC) — as well as our affected airline partners.”
The spokesperson added that there is currently no evidence of any direct impact on daa’s own systems. Passengers who travelled through Dublin Airport in August have been advised that no immediate action is necessary, but they should remain vigilant for any suspicious activity connected to their flight bookings.
The DPC confirmed it has received a breach notification and is liaising with daa as the investigation continues. “We have received a breach notification in relation to this matter and are engaging with daa on it,” said Deputy Commissioner Graham Doyle.
The nature of the exposed information — such as whether it includes passenger names, booking references, or travel details — has not yet been disclosed.
The breach, first reported by The Irish Times, underscores growing concerns about cybersecurity risks within the aviation sector, which handles vast volumes of sensitive passenger data across multiple external suppliers.
