WestJet, a leading Canadian airline based in Calgary, has confirmed that a cybersecurity attack exposed personal information belonging to some of its passengers. The incident began on June 13, 2025, with the airline issuing an initial advisory shortly afterwards.
The airline detected suspicious activity, including restricted access for several users to internal systems and the WestJet app. They immediately activated specialized teams and contacted external security and forensic experts to tackle the breach. WestJet sincerely apologized to guests for any disruption and confirmed in its latest notification (PDF) that the review of all affected data was finalized on September 15, 2025.
What Information Was Stolen?
WestJet stated in its June 2025 advisory that a criminal third party was responsible for gaining access to its network. The good news is that the safety of the airline’s flight operations was never at risk. Even better, sensitive financial data was not compromised; this includes credit card numbers, expiry dates, CVV numbers, and user passwords.
“At no time was the safety and integrity of our operations ever in question,” the company has confirmed.
The type of personal data stolen varies for each guest. It may include your name, date of birth, mailing address, and details from the travel document you used, such as your passport or other government-issued ID.
Further probing revealed that information for WestJet Rewards Members was also involved, specifically their Rewards ID number and point balances as of the date of the incident. This also applies to certain non-sensitive data for WestJet RBC Mastercard holders.
However, for most individuals, the airline states that the accessed information was not considered sensitive. If you booked travel for family members or others, WestJet asks that you pass this important information to them.
Action Taken by the Airline
The company has been working closely with law enforcement, including the Federal Bureau of Investigation, and has notified regulatory bodies like Transport Canada. To help protect those affected, WestJet is offering complimentary identity theft and monitoring services for 24 months through TransUnion.
This service includes up to $1,000,000 of expense reimbursement insurance. The airline urges anyone who may have been impacted to monitor their accounts closely for any suspicious activity.
Expert Commentary on the Breach
“It is very unfortunate that WestJet became a victim of yet another ransomware attack in the aviation space. For victims who had their data stolen, this could be a significant problem as modern air travel requires people to provide a lot of information,” said Erich Kron, CISO Advisor at KnowBe4, in a comment to Hackread.com.
“Stolen details such as passport or government identification, along with addresses and dates of birth, can facilitate significant identity theft. The fact that accommodations were among the stolen information could also impact victims through scams, and may raise regulatory issues if medical data was included,” he added.
“Recent attacks like this often use social engineering, specifically phone calls, to trick help desk employees into resetting passwords or multi-factor authentication. Once attackers gain access to a legitimate account, they can launch further attacks, steal information, or spread malware such as ransomware,” Kron explained.
“Organizations of every size and across every industry need to take precautions to manage human risk, especially for outward-facing staff or customer service roles. A good human risk management (HRM) program should address these types of attacks, as well as those sent through email or text messages, and also manage risks such as accidental errors,” Kron added.
