WestJet, a prominent Canadian airline headquartered in Calgary, has confirmed a cybersecurity breach that compromised the personal information of several passengers. The incident came to light on June 13, 2025, prompting the airline to release an initial advisory shortly thereafter.
The breach was identified when WestJet noticed unusual activity within its systems, including restricted access for several users to internal platforms and the WestJet application. The airline swiftly engaged specialized cybersecurity teams and reached out to external security and forensic experts to address the situation. In a formal notification, WestJet expressed its sincere apologies to affected customers and confirmed that a comprehensive review of the impacted data was completed by September 15, 2025.
What Information Was Compromised?
According to WestJet’s advisory issued in June 2025, a malicious third party accessed its network, although the integrity of the airline’s flight operations was never jeopardized. Importantly, sensitive financial information such as credit card details, expiry dates, CVV numbers, and user passwords were not affected.
The company has affirmed that the safety and security of its operations were maintained throughout the incident. The compromised personal data varied among individuals but could include names, dates of birth, mailing addresses, and information from travel documents like passports or government-issued IDs.
Moreover, some information pertaining to WestJet Rewards members was exposed, specifically their Rewards ID numbers and point balances at the time of the incident. This also includes certain non-sensitive information related to WestJet RBC Mastercard holders. However, for the majority of individuals, the data accessed is classified as non-sensitive. WestJet has urged customers who booked travel for others to relay this critical information to them.
Actions Taken by WestJet
The airline is cooperating with law enforcement agencies, including the Federal Bureau of Investigation, and has notified regulatory authorities such as Transport Canada. To assist those affected, WestJet is offering complimentary identity theft protection and credit monitoring services for 24 months through TransUnion. This service is accompanied by reimbursement insurance of up to $1,000,000 for associated expenses. WestJet is advising individuals to closely monitor their accounts for any signs of suspicious activity.
Expert Analysis
Erich Kron, a CISO Advisor at KnowBe4, commented on the implications of this breach, mentioning the increasing prevalence of ransomware attacks within the aviation sector. For victims whose data has been stolen, the repercussions can be significant, as modern air travel requires individuals to provide a wealth of personal information. The theft of sensitive details such as government identification, along with personal addresses and birthdates, could facilitate identity theft and raise regulatory concerns if medical information was included.
Kron highlighted that recent attacks often leverage social engineering tactics, including deceptive phone calls designed to manipulate help desk personnel into resetting accounts or bypassing multi-factor authentication. Once attackers gain access to legitimate accounts, they can initiate further breaches, pilfer information, or deploy malware like ransomware.
Organizations across all sectors must prioritize human risk management, especially for customer-facing staff. A robust human risk management program should address these types of cyber threats, as well as vulnerabilities presented through email or text-based interactions, and include strategies for mitigating accidental errors.
