British authorities arrested a man in his 40s from West Sussex in connection with a ransomware incident that knocked out automated check-in and baggage systems at several major European airports. Law enforcement detained the suspect under the Computer Misuse Act and later released him on conditional bail as investigators continue their probe.
“Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” said Deputy Director Paul Foster, head of the National Crime Agency’s Cyber Crime Unit. “Cybercrime is a persistent global threat that continues to cause significant disruption to the UK. Alongside our partners here and overseas, the NCA is committed to reducing that threat in order to protect the British public.”
The outage began on September 19 and forced airlines to revert to manual processes, creating long queues and triggering hundreds of delays and cancellations across hubs including London Heathrow, Brussels, Berlin and Dublin. Thousands of passengers faced disrupted plans as ground staff issued handwritten boarding passes and moved baggage through improvised procedures.
Read: Berlin, Brussels, Dublin, and Heathrow Disrupted by Cyberattack on Critical Check-In Systems
Collins’ Parent Confirms Ransomware Attack
Authorities and industry officials quickly traced the disruption to a vendor product. The attack targeted Collins Aerospace’s passenger processing software, known as MUSE (Multi-User System Environment), a platform that lets multiple airlines share check-in and gate resources. RTX, Collins’ parent company, disclosed the incident in an 8-K filing, saying it detected a “product cybersecurity incident involving ransomware” on systems that support MUSE and that those systems sit on customer-specific networks outside RTX’s enterprise environment.
The European Union Agency for Cybersecurity (ENISA) said it identified the ransomware family used in the strike but declined to name the strain while investigations continue. ENISA’s confirmation moved the incident from “operational disruption” to a confirmed ransomware event, heightening concern about third-party software in critical transport infrastructure. Ransomware typically encrypts files or systems and demands payment for a decryption key.
Airport Operations Still Lagging
Airport operators warned that effects could linger. Berlin’s airport said check-in and baggage handling had yet to be fully restored and warned travelers to expect further delays and cancellations as teams continue manual processing and recovery work. Brussels reported limited operations in some areas, while Heathrow said most flights were running but urged passengers to verify schedules before travelling; Dublin reported operations “moving well” though some airlines still used manual workarounds.
RTX told investors it activated its incident response plan, engaged internal and external cybersecurity experts, and notified domestic and international law enforcement and government agencies. The filing added that customers had shifted to backup or manual processes and that the company did not expect a material financial impact from the incident at this time. Those details underscore two practical realities: vendors must assume their software can become a vector for large-scale disruption, and customers must rehearse failover plans that do not depend on the vendor’s network.
Cybersecurity specialists say the case shows supply-chain risk in aviation, where a single third-party platform can touch dozens of airlines and several airports simultaneously. The incident strengthens calls for stricter vendor security controls between provider and customer environments, and verified, offline recovery options for critical operations. There is also a need for rapid threat-sharing among operators and regulators to speed containment and recovery.
