Air travel across Europe was thrown into chaos last weekend as a major cyberattack crippled check-in and baggage systems at several of the continent’s busiest airports. The disruption, which began late on Friday, September 19, 2025, left thousands of passengers stranded and forced airport staff to dust off old manual procedures, handwriting boarding passes and scrambling to keep flights moving as best they could. By Tuesday, authorities in the UK announced they had arrested a man in his 40s from West Sussex in connection with the attack, offering a glimmer of hope that the perpetrators might be brought to justice.
According to Britain’s National Crime Agency (NCA), the suspect was detained on Tuesday evening on suspicion of computer misuse offenses under the Computer Misuse Act. He was later released on conditional bail, as the investigation remains in its early stages. Paul Foster, deputy director of the NCA’s National Cyber Crime Unit, emphasized the seriousness of the crime and the ongoing nature of the probe: “Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing.” Foster added, “Cybercrime is a persistent global threat that continues to cause significant disruption to the UK.”
The cyberattack targeted Collins Aerospace, a subsidiary of RTX (formerly Raytheon Technologies), whose vMUSE self-service software is used for passenger check-in, baggage tagging, and boarding at airports across Europe. The attack, which authorities and security experts say involved ransomware, forced many airports—including London Heathrow, Berlin, Brussels, and Dublin—to revert to backup laptops and handwritten passes as their digital systems failed. According to RTX’s filing with the U.S. Securities and Exchange Commission, the affected systems operate outside the RTX enterprise network, residing on customer-specific networks, which may have complicated efforts to contain the breach.
Collins Aerospace acknowledged what it called a “cyber-related disruption” and said it was working closely with airports and law enforcement to restore normal operations. In a statement on Monday, the company said it was in the “final stages” of restoring its systems, but by Wednesday, some airports were still warning of ongoing delays. “The provider of the computer-controlled passenger and baggage handling system used at BER Airport, among other locations, has announced that it may take several more days to provide functional and secure software,” Berlin Airport said in a statement, cautioning travelers to expect longer lines and possible cancellations.
The impact was felt most acutely at Brussels and Berlin airports. Over the weekend, Brussels canceled dozens of flights and asked airlines to scale back departures as technicians struggled to bring the compromised systems back online. Berlin airport reported that check-in and boarding were “still largely manual,” resulting in “longer processing times, delays, and cancellations by airlines.” Meanwhile, Heathrow Airport in London managed to restore most of its operations by Tuesday, though officials advised passengers to check schedules and arrive early, especially for long-haul flights. Dublin Airport said operations were “moving well,” but some airlines continued to rely on manual workarounds.
Across all these locations, the sight of airport staff hunched over paper forms or typing into backup laptops was a stark reminder of how dependent modern air travel has become on digital infrastructure. “We don’t know how the attack was executed, but we do know ransomware was involved,” said Ryan McConechy, CTO at Barrier Networks, in comments reported by Recorded Future News. He urged organizations to “prioritize their defenses against the vector,” recommending regular staff training, patching vulnerabilities, deploying phishing-resistant multi-factor authentication, and closely monitoring supplier security.
The European Union’s cybersecurity agency, ENISA, confirmed that a “third-party ransomware” was responsible, though it declined to disclose the specific variant. However, security researcher Kevin Beaumont linked the attack to a variant of Hardbit ransomware, adding another layer to the ongoing investigation. The perpetrators behind the cyberattack remain unidentified, with experts speculating that hackers, criminal organizations, or even state actors could be responsible. The NCA has not revealed whether the arrested individual acted alone or as part of a wider group, and authorities have not yet disclosed the full motive behind the attack.
RTX, the parent company of Collins Aerospace, reported the incident to domestic and international law enforcement agencies and said it is “diligently investigating the incident with the assistance of internal and external cybersecurity experts.” The company also notified certain government agencies and is providing technical support to affected customers, including airlines and airports across Europe.
The disruption caused by the attack was not limited to missed flights and frustrated travelers. It exposed the vulnerabilities of interconnected airport systems and underscored the growing threat posed by cybercriminals to critical infrastructure. As the EU’s ENISA noted, the incident is just the latest in a string of cyber events targeting the transport sector, following recent attacks on rail networks and shipping terminals. Last week, UK authorities arrested two individuals linked to the Scattered Spider group in connection with a cyberattack on Transport for London, which caused millions of pounds in damages.
Despite the disruption, aviation safety and air traffic control were not affected, according to the European Commission. Flights that did operate did so safely, even if they were delayed or boarded manually. For many passengers, the experience was a frustrating inconvenience, but for airport operators and airlines, it was a wake-up call about the fragility of the systems that keep global air travel running smoothly.
Looking ahead, the investigation is likely to continue for weeks or months, as authorities work to determine the full extent of the breach, identify any accomplices, and understand how the attackers gained access to such a critical piece of infrastructure. In the meantime, airports and airlines are reviewing their cybersecurity protocols and preparing for the possibility of further attacks. As Paul Foster of the NCA put it, “Cybercrime is a persistent global threat”—one that shows no sign of abating as digital systems become ever more central to daily life.
For now, while most flights have resumed and the worst of the chaos has passed, the incident stands as a stark warning of the vulnerabilities lurking beneath the surface of modern air travel—and the determination of authorities to pursue those who would exploit them.
