In June 2025, WestJet fell victim to a cyberattack executed by a sophisticated, criminal third party, resulting in the unauthorized access of some passengers' personal information. While the airline confirmed the breach, it clarified that most compromised data was not classified as 'sensitive'—suggesting the exposure may have included non-critical details like basic contact information or booking references rather than financial, health, or highly confidential records. The incident prompted a formal notice to affected U.S. residents, indicating cross-border implications. WestJet’s ongoing investigation suggests the attackers targeted passenger data, but the absence of large-scale financial fraud or systemic operational disruption implies the impact was contained to personal (non-sensitive) information leaks. The airline has not disclosed whether the breach stemmed from a vulnerability, phishing, or direct infiltration, but the involvement of a criminal actor points to a deliberate cyber attack rather than an accidental exposure.
Source: https://ca.news.yahoo.com/westjet-passengers-personal-stolen-security-182529490.html
TPRM report: https://www.rankiteo.com/company/westjet
"id": "wes1303013093025",
"linkid": "westjet",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Some passengers (exact number '
'unspecified)',
'industry': 'Aviation/Transportation',
'location': 'Canada (with U.S. residents notified)',
'name': 'WestJet',
'type': 'Airline'}],
'customer_advisories': 'Public disclosure and notice to affected U.S. '
'residents',
'data_breach': {'data_exfiltration': 'Yes (data obtained by threat actor)',
'personally_identifiable_information': 'Yes (unspecified '
'personal information)',
'sensitivity_of_data': 'Low (non-sensitive in most cases)',
'type_of_data_compromised': 'Personal information '
'(non-sensitive in most cases)'},
'date_detected': '2025-06-13',
'date_publicly_disclosed': '2025-09-29',
'description': "WestJet disclosed that some passengers' personal information "
'was obtained in a cyberattack on June 13, 2025. The airline '
"stated that the breach, carried out by a 'sophisticated, "
"criminal third party,' did not involve 'sensitive' data in "
'most cases. A notice was issued to U.S. residents as part of '
'the ongoing investigation.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'public disclosure of breach',
'data_compromised': ['Passenger personal information '
'(non-sensitive in most cases)'],
'identity_theft_risk': 'Low (non-sensitive data in most cases)'},
'investigation_status': 'Ongoing (as of September 29, 2025)',
'references': [{'date_accessed': '2025-09-29',
'source': 'WestJet Public Disclosure'}],
'regulatory_compliance': {'regulatory_notifications': 'Notice issued to U.S. '
'residents (potential '
'compliance with '
'state/data breach '
'laws)'},
'response': {'communication_strategy': 'Public disclosure and notice to U.S. '
'residents',
'incident_response_plan_activated': 'Yes (ongoing probe '
'mentioned)'},
'stakeholder_advisories': 'Notice issued to U.S. residents',
'threat_actor': 'Sophisticated, criminal third party',
'title': 'WestJet Cyberattack Leading to Passenger Data Exposure',
'type': 'Data Breach'}