A cyberattack on WestJet earlier this year has now been confirmed to have exposed sensitive personal information, including passenger passports, addresses, and WestJet Rewards data.
Quick Summary – TLDR:
- WestJet’s June cyberattack compromised travel documents, personal details, and loyalty program data.
- The airline confirmed the breach after a months-long investigation concluded in mid-September.
- No passwords, credit card numbers, or CVVs were accessed, but identity theft risks remain.
- Affected passengers are being offered two years of free identity theft protection.
What Happened?
On June 13, WestJet disclosed a cybersecurity incident that disrupted its internal systems and mobile app. At the time, the airline did not reveal whether customer data had been compromised. Now, following an investigation concluded on September 15, WestJet has confirmed that a “sophisticated criminal third party” accessed sensitive data belonging to a subset of passengers, mainly US-based.
Canada’s WestJet says some passenger data exposed in cybersecurity breach https://t.co/JbQj71HWtJ
— CTV News (@CTVNews) September 29, 2025
Investigation Confirms Exposure of Sensitive Data
WestJet, which carries over 25 million travelers annually and operates over 700 daily flights, has now detailed the scope of the data breach in a customer notification issued on September 29.
The compromised information includes:
- Full names, birthdates, and mailing addresses.
- Passport numbers or other government-issued ID.
- WestJet Rewards Member ID, tier status, and points.
- Information about requested accommodations or complaints.
- Card type details for WestJet RBC Mastercard holders.
Importantly, no credit card numbers, expiration dates, CVV codes, or user passwords were taken. The airline stated that there is no current evidence that WestJet Rewards points are at risk, but advised vigilance.
Passengers who made group bookings are also being asked to alert fellow travelers who may have been affected under the same reservation.
Identity Theft Monitoring and Regulatory Cooperation
To help mitigate the potential impact, WestJet is offering affected customers a free 24-month subscription to TransUnion’s myTrueIdentity service. This includes:
- Daily credit monitoring.
- Dark web surveillance.
- Identity theft insurance of up to $1 million.
Customers must enroll by November 30, 2025 to access this protection.
WestJet has also posted dedicated resources and contact points for affected US customers, including FTC and state attorney general information. The airline is urging travelers to monitor their credit reports, look out for suspicious account activity, and remain cautious of phishing attempts that may reference the incident.
Who’s Behind the Attack?
While the attackers have not been officially identified, the breach occurred during a time when the Scattered Spider cybercrime group was actively targeting aviation and transportation companies. This group has also been linked to attacks on Hawaiian Airlines and Qantas.
Although WestJet did not confirm a direct link to Scattered Spider, the timing and nature of the attack suggest it could be part of a broader trend of social engineering-based breaches against the airline industry.
WestJet said the attack was quickly contained and that they are working closely with cybersecurity experts and law enforcement, including the FBI, Transport Canada, and the Canadian Centre for Cyber Security, to continue the investigation.
SQ Magazine Takeaway
I find it deeply concerning that even a well-established airline like WestJet can fall victim to such an invasive breach. While it’s good to see them offering identity protection and being transparent after the investigation, this should serve as a wake-up call for all of us. If you’ve flown with WestJet recently, check your booking history, alert any companions, and seriously consider signing up for the free monitoring. Data breaches are no longer just tech problems. They’re personal.
