WestJet, a number one Canadian airline primarily based in Calgary, has confirmed {that a} cybersecurity assault uncovered private info belonging to a few of its passengers. The incident started on June 13, 2025, with the airline issuing an preliminary advisory shortly afterwards.
The airline detected suspicious exercise, together with restricted entry for a number of customers to inner methods and the WestJet app. They instantly activated specialised groups and contacted exterior safety and forensic specialists to sort out the breach. WestJet sincerely apologized to company for any disruption and confirmed in its newest notification (PDF) that the overview of all affected information was finalized on September 15, 2025.
What Info Was Stolen?
WestJet said in its June 2025 advisory {that a} prison third occasion was accountable for having access to its community. The excellent news is that the security of the airline’s flight operations was by no means in danger. Even higher, delicate monetary information was not compromised; this consists of bank card numbers, expiry dates, CVV numbers, and person passwords.
“At no time was the security and integrity of our operations ever in query,” the corporate has confirmed.
The kind of private information stolen varies for every visitor. It might embody your title, date of delivery, mailing tackle, and particulars from the journey doc you used, equivalent to your passport or different government-issued ID.
Additional probing revealed that info for WestJet Rewards Members was additionally concerned, particularly their Rewards ID quantity and level balances as of the date of the incident. This additionally applies to sure non-sensitive information for WestJet RBC Mastercard holders.
Nevertheless, for most people, the airline states that the accessed info was not thought-about delicate. When you booked journey for members of the family or others, WestJet asks that you simply move this essential info to them.
Motion Taken by the Airline
The corporate has been working carefully with legislation enforcement, together with the Federal Bureau of Investigation, and has notified regulatory our bodies like Transport Canada. To assist defend these affected, WestJet is providing complimentary identification theft and monitoring providers for twenty-four months via TransUnion.
This service consists of as much as $1,000,000 of expense reimbursement insurance coverage. The airline urges anybody who could have been impacted to watch their accounts carefully for any suspicious exercise.
Skilled Commentary on the Breach
“It is extremely unlucky that WestJet grew to become a sufferer of one more ransomware assault within the aviation house. For victims who had their information stolen, this could possibly be a major downside as fashionable air journey requires individuals to supply numerous info,” mentioned Erich Kron, CISO Advisor at KnowBe4, in a remark to Hackread.com.
“Stolen particulars equivalent to passport or authorities identification, together with addresses and dates of delivery, can facilitate vital identification theft. The truth that lodging have been among the many stolen info might additionally influence victims via scams, and should increase regulatory points if medical information was included,” he added.
“Latest assaults like this typically use social engineering, particularly cellphone calls, to trick assist desk staff into resetting passwords or multi-factor authentication. As soon as attackers achieve entry to a official account, they’ll launch additional assaults, steal info, or unfold malware equivalent to ransomware,” Kron defined.
“Organizations of each dimension and throughout each business have to take precautions to handle human threat, particularly for outward-facing workers or customer support roles. A superb human threat administration (HRM) program ought to tackle these kind of assaults, in addition to these despatched via electronic mail or textual content messages, and in addition handle dangers equivalent to unintentional errors,” Kron added.
