Hacker Attack on Brussels, Berlin, and London Airports: 40-Year-Old Arrested in UK
A major ransomware cyberattack that paralyzed check-in and boarding systems at Europe’s busiest airports has led to the arrest of a suspect in the UK. The incident, which began on September 19, 2025, affected operations at London Heathrow, Brussels Airport, and Berlin Brandenburg, causing widespread flight delays, cancellations, and manual processing chaos for thousands of passengers. UK authorities announced the detention of a man in his 40s on September 24, marking a significant early breakthrough in the investigation. As recovery efforts continue, this event highlights the fragility of critical aviation infrastructure to digital threats.
The Ransomware Attack: How It Unfolded
The cyberattack targeted Collins Aerospace, a subsidiary of US defense firm RTX, which supplies the MUSE cloud-based software for automated passenger processing. Hackers deployed ransomware—malware that encrypts systems and demands cryptocurrency for restoration—disrupting services starting Friday evening, September 19, 2025. The EU’s cybersecurity agency, ENISA, confirmed on September 22 that it was a ransomware incident, likely involving the obscure HardBit strain, known for tailored extortion tactics.
- Timeline of Disruptions:
- September 19-20: Initial breach hits check-in and baggage systems; Heathrow warns of delays, Brussels switches to manual processes.
- September 21: Brussels cancels half its Sunday flights (about 70 departures) to manage queues; Berlin reports longer wait times.
- September 22: ENISA verification; 60 cancellations at Brussels, with iPads and laptops used for online check-ins; Dublin and Cork see minor impacts.
- September 23: Berlin still largely manual, leading to ongoing delays and airline cancellations.
- September 24: Arrest announced; partial recovery underway, but full restoration pending.
Collins Aerospace stated it was in the “final stages” of updates to restore functionality, collaborating with affected airports. No ransom payment details have been disclosed, and the perpetrators—potentially a covert group without a public leak site—remain unidentified.
The Arrest: UK Authorities Strike Back
The UK’s National Crime Agency (NCA) led the operation, arresting the suspect on suspicion of Computer Misuse Act violations. This rapid response underscores international efforts to combat ransomware, especially after recent busts of groups like Scattered Spider.
| Arrest Details | Information |
|---|---|
| Suspect | Man in his 40s, arrested in West Sussex, England. |
| Date | September 24, 2025. |
| Status | Released on conditional bail; probe ongoing. |
| Agency | NCA’s National Cyber Crime Unit, headed by Deputy Director Paul Foster. |
| Context | Linked to Collins Aerospace breach; no confirmed international ties yet. |
Foster called the arrest a “positive step” in tackling cybercrime’s “persistent global threat,” which caused real-world havoc. The investigation, still nascent, may involve Europol and forensic tracing of payments.
Impact on Airports and Passengers
The attack’s cascade effect turned modern terminals into pre-digital relics, with staff resorting to pen-and-paper methods. Europe’s aviation hubs bore the brunt, exacerbating weekend travel woes.
- London Heathrow: Europe’s busiest airport saw 29 cancellations; passengers advised to arrive 2-3 hours early, with manual bag drops persisting.
- Brussels Airport: Hardest hit—50% flight cuts on Sunday/Monday (up to 140 affected); 29 total cancellations by September 22, plus delays over an hour for dozens more.
- Berlin Brandenburg: “Longer processing times” led to widespread delays; manual check-ins continued into Wednesday, with airlines proactively canceling.
- Other Sites: Dublin (evacuations and minimal ongoing issues), Cork, and Frankfurt reported slowdowns.
Aviation analytics from Cirium showed only 42% of Brussels flights departing on time by Monday. Passenger frustration mounted, with reports of hours-long queues and missed connections. Eurocontrol coordinated to minimize airspace congestion.
Broader Implications: Ransomware’s Grip on Critical Sectors
This breach exemplifies ransomware’s evolution, targeting third-party providers to amplify damage. HardBit, emerging in 2022, avoids publicity unlike LockBit, complicating attribution. German group Bitkom notes ransomware as the top threat, with one in seven firms paying up—fueling a €202 billion ($238 billion) global industry in 2025.
Experts warn of rising attacks on aviation, following incidents like the April 2025 Marks & Spencer ransomware that cost £400 million. While not state-sponsored (per initial assessments), such events could inspire copycats. RTX has not commented on data theft, but ENISA stresses supply-chain vulnerabilities.
For prevention:
- Airports/Providers: Enhance backups, multi-factor authentication, and incident response drills.
- Travelers: Check flight status via apps; opt for online check-in where available.
- Global Response: Boosts calls for unified EU-US cyber defenses.
As systems reboot, this arrest signals cybercriminals aren’t invincible. With probes intensifying, expect more revelations—Europe’s skies may clear, but the digital storm rages on.