National Crime Agency detectives have arrested a man in his forties following a sophisticated cyber attack that paralysed check-in systems at Europe’s busiest airports, leaving thousands of holidaymakers stranded and forcing airlines to resort to handwritten boarding passes.
The suspect was detained at his West Sussex home on Tuesday evening on suspicion of Computer Misuse Act offences before being released on conditional bail, as investigators probe the attack on Collins Aerospace’s critical aviation software that brought chaos to terminals across the continent.
The cyber assault, which began late on Friday 19 September, targeted Collins Aerospace’s cloud-based MUSE passenger processing system, knocking out electronic check-in kiosks, baggage drop facilities and boarding systems at London Heathrow, Brussels, Berlin Brandenburg and Dublin airports. The attack forced overwhelmed staff to manually process thousands of passengers using pen and paper, creating scenes reminiscent of air travel decades ago.
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, confirmed the arrest marked significant progress but cautioned that the investigation remained in its early stages. “Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” he said.
Foster warned that cybercrime represented an escalating threat to British infrastructure, adding, “Cybercrime is a persistent global threat that continues to cause significant disruption to the UK. Alongside our partners here and overseas, the NCA is committed to reducing that threat in order to protect the British public.”
Airlines Forced Into Manual Check-In Chaos
The attack’s impact rippled through Europe’s aviation network for days, with Brussels Airport suffering the most severe disruption. Airport officials were forced to ask airlines to cancel half of Monday’s scheduled departing flights as technicians scrambled to restore the compromised systems. At the height of the chaos, 86 per cent of Brussels flights experienced delays ranging from 15 minutes to four hours.
Heathrow, which handles more passengers than any other European airport, saw at least 38 departures and 33 arrivals cancelled over the weekend. The airport deployed additional staff to check-in areas as airlines struggled with manual processes, with some passengers reporting three-hour waits at baggage drop counters.
Maria Casey, travelling to Thailand via Etihad Airways from Heathrow’s Terminal 4, described the pandemonium to reporters. “They had to write our baggage tags by hand. Only two desks were staffed, which is why we were cheesed off,” she said after enduring a three-hour wait.
Another passenger, 19-year-old Derine, who had flown in from Malta en route to Ireland for university, told The Sun about the confusion. “There has not been much information about my next flight, but when we arrived, the plane just circled the runway about five times. We weren’t let off the plane for half an hour.”
Berlin Brandenburg Airport warned travellers of extended waiting times and advised passengers to check flight status before travelling, whilst staff distributed handwritten boarding passes to confused passengers. Dublin Airport’s Terminal 2 also experienced significant disruption that persisted for three days.
Critical Aviation Software Targeted
The cyber criminals specifically targeted Collins Aerospace’s MUSE platform, a sophisticated cloud-based system that enables multiple airlines to share check-in desks, self-service kiosks and boarding gates through a single backend infrastructure. The Multi-User System Environment has become deeply embedded in modern airport operations, powering everything from automated check-in to baggage tagging across dozens of major airports worldwide.
RTX Corporation, the American defence giant that owns Collins Aerospace, confirmed it had become aware of “cyber-related disruption” affecting its software at “select airports” but initially withheld details about the attack’s nature or scope. The company stated, “We are actively working to resolve the issue and restore full functionality to our customers as quickly as possible.”
The firm emphasised that whilst electronic systems were compromised, “the impact is limited to electronic customer check-in and baggage drop and can be mitigated with manual check-in operations.” However, this reassurance provided little comfort to airlines forced to process thousands of passengers without their usual digital infrastructure.
Cybersecurity experts have noted the attack’s sophistication, with some speculating about potential state-sponsored involvement. A NATO-linked cybersecurity expert described the method as “very clever,” pointing to the timing shortly after Collins Aerospace signed a defence deal with NATO, though no attribution has been confirmed.
Aviation Industry Under Siege
The incident has exposed alarming vulnerabilities in aviation’s digital infrastructure, with experts warning that attacks on the sector have surged by an extraordinary 600 per cent between 2024 and 2025, according to French defence company Thales. The dramatic escalation has transformed airports into prime targets for cyber criminals seeking to cause maximum disruption.
Charlotte Wilson, head of enterprise at cybersecurity firm Check Point, warned that aviation had become an “increasingly attractive target” for cyber criminals. “These attacks often strike through the supply chain, exploiting third-party platforms that are used by multiple airlines and airports at once,” she explained.
Travel analyst Paul Charles expressed shock at the breach, noting the severity of an attack on such a major aviation company. “It’s deeply worrying that a company of that stature who normally have such resilient systems in place have been affected,” he said. “This is a very clever cyberattack indeed because it’s affected a number of airlines and airports at the same time, not just one airport or one airline, but they’ve got into the core system.”
The attack highlighted the dangerous concentration of risk when airports rely on single technology providers. Rob Jardin, chief digital officer at NymVPN, warned in a statement that “increasingly, hackers are not just criminals but are being weaponised by hostile nation states” against critical infrastructure.
Terror Watchdog Raises Foreign State Concerns
Terror law watchdog Jonathan Hall KC has suggested the attack could have been orchestrated by hackers from a foreign state, though investigators have not confirmed any specific attribution. The timing and sophistication of the assault have raised concerns about potential hybrid warfare tactics amid ongoing international tensions.
The incident draws uncomfortable parallels with July’s global IT crash caused by a faulty CrowdStrike update, which grounded flights across America and demonstrated the fragility of aviation’s interconnected systems. However, unlike that accidental disruption, this attack was deliberately designed to cause maximum chaos.
UK authorities worked closely with the South East Regional Organised Crime Unit to track down and arrest the suspect, demonstrating the priority placed on protecting critical national infrastructure from cyber threats. The National Cyber Security Centre confirmed it was working with Collins Aerospace to investigate the breach and strengthen defences against future attacks.
Passengers Face Continued Disruption
Whilst Heathrow reported that the majority of flights had returned to normal operations by Wednesday morning, residual effects continued to impact schedules across Europe. Brussels Airport warned passengers to expect ongoing delays as systems were gradually restored, whilst Berlin’s airport mobilised all available resources to manage continued manual processing.
Airlines were forced to implement emergency procedures, with British Airways activating backup systems that allowed limited operations to continue. Delta Air Lines reported minimal impact after implementing workarounds, but smaller carriers without robust contingency plans faced severe operational challenges.
Passengers have been advised to arrive at airports no earlier than three hours before long-haul flights and two hours before short-haul services to avoid overcrowding in terminals. Airlines continue to work through backlogs of delayed passengers and mishandled baggage as normal operations slowly resume.
The European Commission stated there were “currently no indications of a widespread or severe attack” beyond the initial breach, but aviation authorities across the continent have been placed on high alert for potential follow-up attacks or copycat incidents.
Critical Questions for Aviation Security
The attack has prompted urgent questions about aviation’s reliance on centralised technology platforms and the adequacy of current cybersecurity measures. Experts argue that whilst shared systems like MUSE deliver efficiency and cost savings, they create dangerous single points of failure that can paralyse multiple airports simultaneously.
Cybersecurity specialists have called for immediate improvements to aviation IT infrastructure, noting that many systems still rely on decade-old technology that was designed before cyber resilience became a critical consideration. The upcoming EU NIS2 directive, set to take effect in October, will broaden the legal definition of critical infrastructure to include IT suppliers like Collins Aerospace, potentially mandating stronger security requirements.
The NCA’s ongoing investigation will likely examine how the attackers penetrated Collins Aerospace’s cloud infrastructure and whether adequate security measures were in place. The arrest represents just the first step in what sources suggest could be a complex international investigation involving multiple law enforcement agencies.
As the aviation industry counts the cost of yet another devastating cyber attack, the message from criminals is clear: airports and their technology suppliers remain vulnerable targets. With passenger numbers returning to pre-pandemic levels and increasing reliance on digital systems, the sector faces an urgent imperative to strengthen its cyber defences before the next attack strikes.
Follow for more updates on Britannia Daily
Image Credit:
Inside Berlin Hauptbahnhof — photo by Jorge Láscar, CC BY 2.0
