WestJet confirms cyberattack exposed IDs, passports in June incident


WestJet confirms cyberattack exposed IDs, passports in June incident

Pierluigi Paganini
October 01, 2025

WestJet confirms June cyberattack that disrupted certain internal systems, exposed customer passports and IDs.

WestJet airline confirmed the June security breach exposed customer passports and IDs. WestJet is a Canadian airline that operates both domestic and international flights. Founded in 1996, it started as a low-cost carrier and has grown to become Canada’s second-largest airline, after Air Canada.

The cybersecurity incident impacted some of its internal systems and mobile app, which had blocked access for several users.

The company mitigated the attack with specialized internal teams and coordinated the response with law enforcement and Transport Canada.

The airline pointed out that the attack did not impact operational safety, while efforts were focused on protecting sensitive personal data. The company advised guests and employees to exercise extra caution when sharing personal information.

According to the data breach notification letter sent to the impacted individuals, the types of personal information involved in this incident vary by individual.

“The types of personal information involved by this incident vary by individual but may include your name, date of birth, mailing address, information about the travel document you used when travelling with WestJet (such as your passport or other government-issued identification document or number) and other information associated with your travel needs such as accommodations requested or complaints filed. No credit card or debit card numbers, expiry dates or CVV numbers or account passwords were involved.” reads the notification. “If you are a WestJet Rewards Member, information linked to your membership may have also been involved. This could include your WestJet Rewards ID number and points balance on the date of the incident, as well as other information linked to the use of your account. Importantly, your password to access Rewards accounts was not involved. WestJet has no reason to believe that your points may be at risk.If you are a WestJet RBC Mastercard, WestJet RBC World Elite Mastercard, or WestJet RBC World Elite Mastercard for Business cardholder, additional information linked to your WestJet Rewards account may have also been involved. This may include a credit card identifier type (e.g. “World Elite”), and information about changes to your WestJet points balance. Your credit card number, expiration date and CVV are not involved.”

The Canadian airline says it’s still assessing the breach’s scope, with initial notices sent to the confirmed victims. The company is still investigating the security breach with the help of experts and the FBI, stressing that investigations are complex but ongoing.

The airline claims it has implemented security measures to prevent future incidents.

WestJet offers affected customers free 24-month identity theft protection via TransUnion, including alerts, fraud assistance, restoration help, and up to $1M insurance.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)







Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.