WestJet confirms customer ID, passports stolen in June cyberattack

Ax Sharma October 1, 2025 0
westjet-airplane

WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained unauthorized access to some of its internal systems and obtained customer data.

According to the airline, though, the most sensitive data bits, such as credit card data and passwords, were not among the breached items. WestJet is now informing the public of the incident in accordance with regulatory obligations.

What was exposed?

WestJet acknowledges that the data accessed during the June cyberattack varies between individuals. Compromised information may have included:

  • Names, contact details (e.g. phone, email)
  • Reservation and travel documentation submitted by guests (e.g. government IDs, passports, related documents)
  • Data regarding the guests’ relationship with WestJet (e.g. loyalty account and past interactions)

For some individuals, more sensitive information may have been included, though WestJet frames that as an exception. WestJet insists that no credit card or debit card numbers, expiration dates, CVV codes, or guest user account passwords were obtained in the breach. Additionally, the airline states that the safety or integrity of its flight operations was never at risk during the incident.

WestJet Rewards members’ impact

A data breach notification obtained by BleepingComputer additionally identifies that the exposed data includes:

  • WestJet Rewards Member ID, points, and other information
  • Additional information linked to your WestJet Rewards account, for members with WestJet RBC Mastercard, WestJet RBC World Elite Mastercard, or WestJet RBC World Elite Mastercard.

WestJet cyber attack timeline

On June 13, 2025, WestJet had detected suspicious activity in its systems, following which, the airline immediately initiated forensic investigation and containment efforts. As operations continued, customers experienced intermittent service interruptions or errors when accessing the WestJet app or website. On September 15, 2025, WestJet completed its technical and data analysis and prepared notices to affected U.S. residents.

The airline continued to provide updates on its investigation in the days following the incident, including a “Notice of Cybersecurity Incident for U.S. Residents,” and began sending out notifications. The airline engaged external forensic teams and cooperated with law enforcement agencies, including the FBI (for U.S. implications) and the Canadian Centre for Cyber Security.

WestJet encourages customers to stay vigilant. That means, checking account statements, monitoring credit reports, and reporting any suspicious activity promptly.

About the author

Ax Sharma

Ax Sharma is a UK-based security researcher, journalist and TV subject matter expert experienced in malware analysis and cybercrime investigations. His areas of interest include open source software security and threat intel analysis. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

See author's posts

More Stories

us-air-force

US Air Force Probes Potential SharePoint-Linked Privacy Breach

Ax Sharma October 3, 2025 0
building wrapped with string lights during night time

Harrods third-party breach exposes 430,000 customer records, hackers reach out

Ax Sharma October 1, 2025 0
a close up of a red and black flag

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

Security Report News December 30, 2023 0

Leave a Reply