WestJet, Canada’s second-largest airline, suffered a sophisticated cyberattack in mid-2025, resulting in the unauthorized access and theft of sensitive passenger data. The breach, disclosed on September 29, 2025, confirmed that a criminal third party exfiltrated personal information, including full names, dates of birth, mailing addresses, passport numbers, travel-related details (accommodations, complaints), and WestJet Rewards account data (IDs, point balances). While credit/debit card numbers, CVV codes, and passwords remained uncompromised, the attack exposed government-issued travel documents and loyalty program details of a subset of US-based customers. The airline initiated containment measures early in the incident and engaged internal security teams and external forensic experts to investigate. Affected individuals were offered 24 months of TransUnion’s myTrueIdentity monitoring (credit reports, dark web monitoring, $1M identity theft insurance). The breach was reported to law enforcement, including the FBI, though the initial attack vector and threat actor identity remain undisclosed. WestJet emphasized no evidence of Rewards points being misused but warned customers to monitor for phishing attempts and unusual account activity. The incident highlights risks to customer trust, regulatory scrutiny, and potential financial fraud, though flight operations remained unaffected.
Source: https://cyberinsider.com/westjet-confirms-data-breach-impacting-passenger-identity-data/
TPRM report: https://www.rankiteo.com/company/westjet
"id": "wes5292352093025",
"linkid": "westjet",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Subset of US-based customers '
'(exact number unspecified)',
'industry': 'Aviation/Transportation',
'location': 'Canada (headquartered in Calgary, '
'Alberta)',
'name': 'WestJet',
'size': 'Large (over 700 daily flights, 25+ million '
'annual passengers)',
'type': 'Airline'}],
'customer_advisories': 'Formal notification sent to affected individuals '
'(September 29, 2025); public advisory issued (June '
'13, 2025)',
'data_breach': {'data_exfiltration': 'Confirmed',
'personally_identifiable_information': ['Full name',
'Date of birth',
'Mailing address',
'Passport numbers',
'WestJet Rewards ID '
'numbers'],
'sensitivity_of_data': 'High (includes government-issued ID '
'details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Travel-related data',
'Loyalty program data (WestJet '
'Rewards)',
'Financial account metadata '
'(co-branded credit card '
'tier/rewards)']},
'date_detected': 'mid-June 2025',
'date_publicly_disclosed': '2025-06-13',
'description': 'WestJet confirmed a cyberattack that led to unauthorized '
'access and theft of personal data, including sensitive '
'passenger information and WestJet Rewards account details. '
'The breach was first detected in mid-June 2025, with public '
'disclosure on June 13, 2025. A subset of US-based customers '
'had their personal information compromised, including full '
'names, dates of birth, mailing addresses, government-issued '
'travel document details (e.g., passport numbers), '
'travel-related data, and WestJet Rewards information. No '
'credit/debit card numbers, expiration dates, CVV codes, or '
'passwords were exposed. Affected individuals were offered 24 '
'months of free TransUnion identity monitoring services.',
'impact': {'data_compromised': ['Full name',
'Date of birth',
'Mailing address',
'Government-issued travel document details '
'(e.g., passport numbers)',
'Travel-related data (e.g., accommodations, '
'filed complaints)',
'WestJet Rewards information (ID numbers, '
'point balances)',
'Co-branded WestJet RBC Mastercard data (card '
'tier, rewards changes)'],
'downtime': 'Technical disruptions reported on June 13, 2025 '
'(duration unspecified)',
'identity_theft_risk': 'High (mitigated by 24-month TransUnion '
'myTrueIdentity monitoring service)',
'operational_impact': 'Flight safety and operations remained '
'unaffected',
'payment_information_risk': 'None (no credit/debit card numbers, '
'expiration dates, CVV codes, or '
'passwords exposed)',
'systems_affected': ['Internal platforms',
'Mobile app',
'Website']},
'investigation_status': 'Completed (data review finalized on September 15, '
'2025)',
'post_incident_analysis': {'corrective_actions': 'Systems reinforced '
'post-incident'},
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': ['Enroll in free 24-month TransUnion myTrueIdentity '
'monitoring service (deadline: November 30, 2025)',
'Monitor credit reports and account statements for '
'unusual activity',
'Stay alert for phishing attempts referencing WestJet'],
'references': [{'date_accessed': '2025-09-29',
'source': 'WestJet Consumer Notification'}],
'response': {'communication_strategy': 'Formal notification to affected '
'individuals (September 29, 2025); '
'public acknowledgment (June 13, '
'2025); offer of free identity '
'monitoring services',
'containment_measures': 'Implemented early in the incident',
'incident_response_plan_activated': 'Yes (forensic teams '
'involved)',
'law_enforcement_notified': 'Yes (including FBI)',
'remediation_measures': 'Systems reinforced post-incident',
'third_party_assistance': 'Yes (external forensic teams)'},
'threat_actor': 'Sophisticated criminal third party',
'title': 'WestJet Data Breach (2025)',
'type': 'Data Breach'}