Canadian airline **WestJet** suffered a cyberattack in June 2024, compromising the personal data of **1.2 million customers**. The breach, attributed to social engineering (password reset of an employee via Citrix), allowed attackers to infiltrate Windows and Microsoft cloud networks. Exposed data included **full names, dates of birth, mailing addresses, passports/government IDs, travel documents, accommodation requests, complaints, and WestJet Rewards/Mastercard details** (excluding credit/debit card numbers, CVVs, or passwords). The FBI is investigating, and WestJet offered **2-year identity theft protection** to affected individuals. The airline, serving **25M+ travelers annually**, warned that the full scope remains undetermined, with potential further exposures under shared booking numbers. Threat actors linked to **Scattered Spider** (targeting aviation) were suspected but not officially confirmed.
WestJet cybersecurity rating report: https://www.rankiteo.com/company/westjet
"id": "wes1031510111025",
"linkid": "westjet",
"type": "Cyber Attack",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,200,000',
'industry': 'Aviation',
'location': 'Canada (Headquartered in Calgary, '
'Alberta)',
'name': 'WestJet',
'size': 'Large (153 Aircraft, 104 Destinations, 25M+ '
'Annual Travelers)',
'type': 'Airline'}],
'attack_vector': ['Social Engineering',
'Password Reset Exploitation',
'Citrix Access'],
'customer_advisories': ['Notify individuals who may have flown under the same '
'booking number (their data may also be exposed).',
'Enroll in 2-year free identity theft protection by '
'November 30, 2024.',
'Monitor financial accounts and credit reports for '
'suspicious activity.'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '1,200,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, Travel Documents, '
'Financial Account Details)',
'type_of_data_compromised': ['Full Name',
'Date of Birth',
'Mailing Address',
'Travel Documents (Passport, '
'Government ID)',
'Requested Accommodations',
'Filed Complaints',
'WestJet Rewards Member ID and '
'Points',
'WestJet RBC Mastercard '
'Information (Non-Payment '
'Details)']},
'date_detected': '2024-06-13',
'date_publicly_disclosed': '2024-06-13',
'description': 'Canadian airline WestJet disclosed a cyberattack in June 2024 '
'that disrupted internal systems, made the WestJet app '
'unavailable, and compromised the personal information of 1.2 '
'million customers, including passports and ID documents. The '
'breach was executed via social engineering, targeting an '
"employee's password reset to gain access through Citrix, "
'compromising Windows and Microsoft cloud networks. The FBI is '
'involved in the ongoing investigation, and WestJet is '
'offering free identity theft protection to affected '
'customers.',
'impact': {'brand_reputation_impact': ['Negative (High-Profile Breach '
'Affecting 1.2M Customers)'],
'customer_complaints': ['Potential Increase (Not Quantified)'],
'data_compromised': True,
'downtime': ['WestJet App Unavailability (Duration Unspecified)'],
'identity_theft_risk': ['High (PII and Travel Documents Exposed)'],
'legal_liabilities': ['Potential (Ongoing Investigation)'],
'operational_impact': ['Disruption of Internal Systems',
'Customer Service Interruptions'],
'payment_information_risk': ['Low (No Credit/Debit Card Numbers, '
'CVV, or Passwords Compromised)'],
'systems_affected': ['Internal Systems',
'WestJet App',
'Windows Networks',
'Microsoft Cloud Network']},
'initial_access_broker': {'backdoors_established': ['Likely (Given Lateral '
'Movement to Windows and '
'Cloud Networks)'],
'entry_point': 'Employee Password Reset via Social '
'Engineering',
'high_value_targets': ['Customer PII',
'Travel Documents',
'Loyalty Program Data']},
'investigation_status': 'Ongoing (FBI Involved, Full Scope Not Yet Determined '
'as of September 2024)',
'lessons_learned': ['Social engineering remains a critical attack vector, '
'especially via password resets.',
'Third-party access points (e.g., Citrix) require robust '
'monitoring and hardening.',
'Cloud environments (e.g., Microsoft) must be segmented '
'and protected against lateral movement.',
'Transparent communication with customers and regulators '
'is essential, even when details are incomplete.'],
'motivation': ['Data Theft', 'Potential Financial Gain', 'Disruption'],
'post_incident_analysis': {'corrective_actions': ['Review and harden password '
'reset and MFA policies.',
'Enhance Citrix and remote '
'access security controls.',
'Implement network '
'segmentation to limit '
'breach impact.',
'Expand employee '
'cybersecurity training '
'programs.'],
'root_causes': ['Successful social engineering '
'attack targeting password reset '
'mechanisms.',
'Inadequate protections for Citrix '
'remote access gateway.',
'Lack of segmentation between '
'Windows networks and Microsoft '
'cloud environment.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement multi-factor authentication (MFA) for all '
'password reset and privileged access workflows.',
'Conduct regular social engineering drills and employee '
'training to mitigate human error risks.',
'Enhance logging and monitoring for Citrix and other '
'remote access gateways.',
'Adopt zero-trust principles to limit lateral movement '
'within cloud and on-premises networks.',
'Proactively engage with law enforcement and '
'cybersecurity firms during incident response.',
'Offer comprehensive identity protection services to '
'affected customers to mitigate long-term risks.'],
'references': [{'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com'},
{'source': "Maine Attorney General's Office (Data Breach "
'Notification)'},
{'date_accessed': '2024-09-15',
'source': 'WestJet Customer Notification Letter'}],
'regulatory_compliance': {'legal_actions': ['Ongoing FBI Investigation'],
'regulations_violated': ['Potential Violations '
'(Under Investigation)'],
'regulatory_notifications': ['Maine Attorney '
"General's Office "
'(U.S.)']},
'response': {'communication_strategy': ['Public Disclosure (June 13)',
'Customer Notifications (September '
'15)',
'Regulatory Filings (Maine AG Office)',
'Ongoing Updates'],
'containment_measures': ["Unspecified (Claimed as 'Appropriate "
"Measures')"],
'enhanced_monitoring': ["Likely (Implied by 'Appropriate "
"Measures')"],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['System Restoration',
'Customer Notification Process'],
'remediation_measures': ['Password Reset Protocols Review',
'Citrix Security Enhancements',
'Microsoft Cloud Security Updates'],
'third_party_assistance': ['Technical Experts (Unspecified)',
'FBI']},
'stakeholder_advisories': ['Customers advised to monitor for identity theft '
'and enroll in free protection by November 30, '
'2024.'],
'threat_actor': ['Unattributed (Potentially Linked to Scattered Spider)'],
'title': 'WestJet Cyberattack Compromises Personal Data of 1.2 Million '
'Customers',
'type': ['Cyberattack', 'Data Breach', 'Social Engineering'],
'vulnerability_exploited': ['Human Error (Social Engineering)',
'Weak Password Reset Mechanisms',
'Citrix Vulnerability']}