The UK’s National Crime Agency (NCA) has arrested a 40-year-old man in West Sussex as part of its investigation into a cyberattack on Collins Aerospace and parent company RTX Corporation. The incident triggered widespread disruptions at several European airports, affecting passenger check-in, baggage drop, and boarding pass printing. The suspect has been released on bail while enquiries continue. “While this arrest is a significant step, the investigation remains at an early stage and is ongoing,” the NCA said.
What happened: outage in ARINC SelfServ vMUSE check-in systems
The attack targeted Collins Aerospace’s ARINC SelfServ vMUSE kiosks—self-service terminals and software used by airlines and airports to run check-in counters and baggage-drop operations. Collins reported a cyberattack-related outage that degraded software functionality at multiple European locations. Because vMUSE sits in the critical ground-handling layer, even short-lived downtime can cascade into delays and cancellations.
Operational impact: cancellations and manual fallback procedures
Beginning Friday, 19 September 2025, airports in Berlin, Brussels, and London experienced electronic system failures. Airlines reverted to manual processes, including handwritten boarding passes and the use of backup laptops. The severity varied by airport, depending on the extent of vMUSE deployment.
Brussels Airport was hit hardest. Dozens of flights were canceled on Sunday and Monday; authorities asked carriers to cancel roughly 140 flights for Monday, 22 September, after calling off 25 flights on Saturday and another 50 on Sunday. Airport officials attributed the decision to the vendor’s inability to promptly deliver a “new secure version” of the check-in platform.
Investigation status and early attribution
Technical details have not been publicly disclosed. Independent researcher Kevin Beaumont suggested the attackers may have used a “very primitive” HardBit ransomware variant. Separately, BleepingComputer reported that sources pointed to Loki ransomware. No attribution has been officially confirmed, which is typical in early response phases while teams focus on restoration and collecting reliable forensic evidence.
Why it matters: aviation supply-chain risk at scale
The incident illustrates classic supply-chain exposure in aviation IT: compromise at a third‑party service provider can create synchronized failures across multiple airports. Check-in kiosks and counters are distributed endpoints dependent on centralized services and trusted software updates. Even relatively unsophisticated malware can have outsized operational effects when it lands in this layer.
Comparable shocks underscore the point. Public reporting on the 2021 SITA passenger service system incident showed how supplier compromises ripple through airlines’ operations, and the 2023 FAA NOTAM outage highlighted fragility in aviation’s digital ecosystem. Taken together, these events show that availability and integrity controls in shared platforms are as critical as confidentiality.
Recommended mitigations for airports, airlines, and vendors
Segment and harden operational networks: Isolate check-in endpoints from enterprise IT; enforce strict allowlists and default‑deny execution at kiosks; deploy EDR/NGAV on critical hosts with tamper protection.
Lock down software supply and updates: Require signed builds, integrity checks, and staged rollouts using sandbox environments; block unsigned or out-of-band updates; maintain immutable configuration backups for rapid rebuilds.
Control third‑party access: Enforce multi‑factor authentication, just‑in‑time privileged access, and continuous session monitoring for vendor support channels. Log and retain detailed telemetry for forensic readiness.
Prepare degraded‑mode operations: Maintain tested runbooks for manual check-in and baggage handling; pre-position backup devices and printers; conduct joint exercises with vendors and airlines to validate recovery time and communication plans.
Governance and contractual levers
Renegotiate vendor contracts to codify cybersecurity obligations, including explicit recovery time and recovery point objectives (RTO/RPO), incident notification SLAs, evidence preservation requirements, and procedures for emergency software version rollback or rotation.
Resilience in aviation hinges on the ability to operate safely under stress. This case shows that a single supplier outage can quickly become an airport-wide disruption. Organizations should prioritize hardened network segmentation, rigorous update pipelines, forensic-ready logging, and rehearsed fallback procedures, while embedding measurable resilience commitments into vendor agreements. These steps reduce operational risk and shorten recovery time when—not if—the next cyber incident occurs.
