Canadian airline WestJet is informing customers that the cyberattack disclosed in June compromised their sensitive information, including passports and ID documents.
WestJet is a major airline in North America that operates a fleet of 153 aircrafts and services 104 destinations, carrying over 25 million travelers annually.
On June 13, the company disclosed a cybersecurity incident that disrupted certain internal systems and made the WestJet app unavailable to customers.
Around that time, the Scattered Spider threat group focused their attacks on organizations in the aviation industry. However, there is no official attribution for the hackers behind the WestJet breach.
In the days following the disclosure, WestJet published multiple updates assuring customers that all appropriate measures to protect their data were being implemented, but the communications did not specify if the hackers managed to access any sensitive information.
The notification to customers was shared with authorities in the U.S. and confirms the impact, based on the results of the investigation that the company completed on September 15.
According to the findings, the following data types have been exposed to the attackers, varying per individual:
- Full name
- Date of birth
- Mailing address
- Travel documents, such as passport or government ID
- Requested accommodations
- Filed complaints
- WestJet Rewards Member ID, points, and other information
- WestJet RBC Mastercard, WestJet RBC World Elite Mastercard, or WestJet RBC World Elite Mastercard information.
WestJet specified that no credit card or debit card numbers, expiry dates, CVV numbers, or user passwords were compromised.
The airline noted that recipients of the notification should inform other individuals who may have flown under the same booking number as them, as their information might have been exposed too.
WestJet states that it is still trying to determine the full scope of the incident, so this initial notice is being circulated to those confirmed to be impacted. However, it may not represent the complete impact of the compromise.
“We continue to work alongside our technical experts to determine the full extent of the incident,” reads the letter.
“While investigations of this nature are complicated and take time to complete, we have worked as quickly as possible to review the data we understand to be involved and to ascertain whether any of your personal information has been involved.”
The company also stated that the FBI is involved in the investigations and that it has taken all the appropriate measures to prevent similar incidents from occurring in the future.
The notices also enclose instructions on how to enroll in a free 2-year identity theft protection and monitoring service, redeemable by November 30.
BleepingComputer has reached out to WestJet to inquire about the number of customers affected, and we will update this post with their response.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
