Canadian airline WestJet began notifying customers impacted by a June 2025 security breach that affected the personal data of 1.2 million people.WestJet first disclosed the cybersecurity incident on June 13, 2025, which was said to affect internal systems and the WestJet app but not disrupt overall airline operations or jeopardize operational safety. The company later confirmed in July that a “sophisticated, criminal third party” had gain unauthorized access to customer data as a result of the incident.In a notification to the U.S. Maine Attorney General on Monday, WestJet confirmed that the breach hit 1.2 million people, following an investigation that concluded on Sept. 15, 2025.Breached data, which varied from person to person, included names, dates of birth, addresses, travel documents such as passports and other government IDs, and other travel-related information such as accommodations requests or filed complaints.WestJet Rewards Members and WestJet RBC Mastercard, WestJet RBC World Elite Mastercard and WestJet RBC World Elite Mastercard for Business cardholders also may have had details about their Rewards accounts leaked, including account ID numbers and points balances.However, WestJet said no account passwords or credit card details were affected by the breach, nor were members at risk of having their points stolen.“Most of the data exposed in this attack does not pose a direct threat to WestJet customers, but it could be used to craft personalized and convincing phishing messages,” Comparitech Consumer Privacy Advocate Paul Bischoff noted in an email to SC Media. “Be on the lookout for phishing emails and text messages from scammers posing as WestJet or a related company.”The airline said it immediately took steps to secure its environment and begin a technical and forensic analysis after discovery of the incident, and that “additional system and data security measures have been implemented to enhance our existing security program.”“Cyber security is an issue we take very seriously at WestJet. While cyber incidents are not completely avoidable, even with the most stringent protections in place, WestJet’s IT defences have always been strong, and we have bolstered our defences to further enhance our system’s security and overall IT infrastructure,” the company said in an FAQ about the cyberattack.The incident was also reported to law enforcement and government authorities including the Canadian Centre for Cyber Security, Transport Canada, the Office of the Privacy Commissioner of Canada and the U.S. Federal Bureau of Investigation (FBI).WestJet is providing 24 months of free identity theft and monitoring to affected individuals including up to $1 million of expense reimbursement insurance, through TransUnion’s myTrueIdentity service.The air travel industry has faced several significant breaches in recent months, including a major supply chain attack on Collins Aerospace software disrupting operations at multiple airports in Europe last month. In June, Australian airline Qantas suffered a breach affecting 5.7 million people.
Data Security, Breach, Privacy
WestJet breach hits 1.2 million people, affects passports, IDs
(Credit: robin – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds