bbc.com
Imran Rahman-JonesTechnology reporter andJoe TidyCyber correspondent, BBC World Service

The National Crime Agency (NCA) said a man in his forties was arrested in West Sussex.

A person has been arrested in connection with a cyber-attack which has caused days of disruption at several European airports including Heathrow.

The National Crime Agency (NCA) said a man in his forties was arrested in West Sussex "as part of an investigation into a cyber incident impacting Collins Aerospace".

There have been hundreds of flight delays after Collins Aerospace baggage and check-in software used by several airlines failed, with some boarding passengers using pen and paper.

"Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing," said Paul Foster, head of the NCA's national cyber crime unit.

The man was arrested on Tuesday evening on suspicion of Computer Misuse Act offences and has been released on bail.

The BBC has seen an internal memo sent to airport staff at Heathrow about the difficulties software provider Collins Aerospace is having bringing their check-in software back online.

The US company appears to be rebuilding the system again after trying to relaunch it on Monday.

Collins Aerospace's parent company RTX Corporation told the BBC it appreciated the NCA's "ongoing assistance in this matter".

The US firm has not put a timeline on when it will be ready and is urging ground handlers and airlines to plan for at least another week of using manual workarounds.

At Heathrow, extra staff have been deployed in terminals to help passengers and check-in operators but flights are still experiencing delays.

On Monday, the EU's cyber-security agency said ransomware had been deployed in the attack.

Ransomware is often used to seriously disrupt victims' systems and a ransom is demanded in cryptocurrency to reverse the damage.

These types of attacks are an issue for organisations around the country, with organised cyber-crime gangs earning hundreds of millions of pounds from ransoms every year.

Days of disruption
The attack against US software maker Collins Aerospace was discovered on Friday night and resulted in disruption across many European airports, including in Brussels, Dublin and Berlin.

Flights were cancelled and delayed throughout the weekend, with some airports still experiencing effects of the delays into this week.

"The vast majority of flights at Heathrow are operating as normal, but we encourage passengers to check the status of their flight before travelling to the airport," Heathrow Airport said in a statement on its website.

Berlin Airport said on Wednesday morning "check-in and boarding are still largely manual", which would result in "longer processing times, delays, and cancellations by airlines".

While Brussels Airport advised passengers to check in online before arriving at the airport.

Cyber-attacks in the aviation sector have increased by 600% over the past year, according to a report by French aerospace company Thales.

| The Record from Recorded Future News Alexander Martin
September 18th, 2025

Two suspected members of the Scattered Spider cybercrime collective have been arrested and charged in the United Kingdom following an investigation into the hack of Transport for London (TfL) last year.

The National Crime Agency (NCA) announced on Thursday that Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, had been arrested at their homes at lunchtime on Tuesday.

The Crown Prosecution Service authorized charges against both men on Wednesday night under the Computer Misuse Act, alleging they conspired to commit unauthorized acts against TfL, which was hacked in August 2024. Flowers had initially been arrested over the the transit agency attack in September 2024, but released on bail.

The NCA said its officers also discovered additional potential evidence that Flowers had been involved in attacks against U.S. healthcare companies following his arrest. Flowers faces two additional charges of conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health.

Jubair faces an additional charge for refusing to provide investigators with passcodes to access devices seized from him. The U.S. Department of Justice also unsealed a complaint against Jubair on Thursday, accusing him of computer crimes.

The men are set to appear at Westminster Magistrates’ Court at 2 p.m. on Thursday. In England and Wales, criminal cases begin with a first hearing in a magistrates’ court where it is decided whether the case will proceed to a Crown Court for a jury trial — required for all cases where the sentence could exceed 12 months.

The specific charges against both men are “conspiracy to commit an unauthorised act in relation to a computer causing / creating risk of serious damage to human welfare/national security,” the maximum sentence for which is life imprisonment.

Magistrates’ courts also decide whether a defendant can be released on bail. Prosecutors are seeking to have both men remanded in custody until they can face trial.

Paul Foster, the head of the NCA’s National Cyber Crime Unit, said: “Today’s charges are a key step in what has been a lengthy and complex investigation. This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”

It follows the NCA warning of an increasing threat from English-speaking cybercriminal groups, including the loose collective tracked as Scattered Spider, which has been associated with a range of attacks in both Britain and the United States.

“The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice,” said Foster.

Hannah Von Dadelszen, the CPS’ chief prosecutor for the Crown Prosecution Service, said: “Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings.”

The charges come as the NCA’s cybercrime unit is understood to be busier than ever in investigating a range of cases. These include the hack against TfL, the Legal Aid Agency, two incidents impacting the National Health Service, and attacks on three retailers — Marks & Spencer, the Co-op, and the London-based luxury store Harrods.

Contempt of court laws prohibit prejudicing a jury trial by suggesting suspects' guilt or innocence, publishing details regarding their past convictions, or speculating about the character of the defendants.

The U.K.'s National Crime Agency said it disrupted DigitalStress, a DDoS-for-hire operation that has been “responsible for tens of thousands of attacks every week across the globe.”

Law enforcement arrested two operators of the LockBit ransomware gang in Poland and Ukraine, created a decryption tool to recover encrypted files for free, and seized over 200 crypto-wallets after hacking the cybercrime gang's servers in an international crackdown operation.

The National Crime Agency has today revealed that it has infiltrated the online criminal marketplace by setting up a number of sites purporting to offer DDoS-for-hire services.

Today’s announcement comes after the Agency chose to identify one of the sites currently being run by officers as part of a sustained programme of activity to disrupt and undermine DDoS as a criminal service.