WestJet confirms customer ID, passports stolen in June cyberattack

WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained unauthorized access to some of its internal systems and obtained customer data.
According to the airline, though, the most sensitive data bits, such as credit card data and passwords, were not among the breached items. WestJet is now informing the public of the incident in accordance with regulatory obligations.
What was exposed?
WestJet acknowledges that the data accessed during the June cyberattack varies between individuals. Compromised information may have included:
- Names, contact details (e.g. phone, email)
- Reservation and travel documentation submitted by guests (e.g. government IDs, passports, related documents)
- Data regarding the guests’ relationship with WestJet (e.g. loyalty account and past interactions)
For some individuals, more sensitive information may have been included, though WestJet frames that as an exception. WestJet insists that no credit card or debit card numbers, expiration dates, CVV codes, or guest user account passwords were obtained in the breach. Additionally, the airline states that the safety or integrity of its flight operations was never at risk during the incident.
WestJet Rewards members’ impact
A data breach notification obtained by BleepingComputer additionally identifies that the exposed data includes:
- WestJet Rewards Member ID, points, and other information
- Additional information linked to your WestJet Rewards account, for members with WestJet RBC Mastercard, WestJet RBC World Elite Mastercard, or WestJet RBC World Elite Mastercard.
WestJet cyber attack timeline
On June 13, 2025, WestJet had detected suspicious activity in its systems, following which, the airline immediately initiated forensic investigation and containment efforts. As operations continued, customers experienced intermittent service interruptions or errors when accessing the WestJet app or website. On September 15, 2025, WestJet completed its technical and data analysis and prepared notices to affected U.S. residents.
The airline continued to provide updates on its investigation in the days following the incident, including a “Notice of Cybersecurity Incident for U.S. Residents,” and began sending out notifications. The airline engaged external forensic teams and cooperated with law enforcement agencies, including the FBI (for U.S. implications) and the Canadian Centre for Cyber Security.
WestJet encourages customers to stay vigilant. That means, checking account statements, monitoring credit reports, and reporting any suspicious activity promptly.