Breaches

WestJet confirms customer ID, passports stolen in June cyberattack

WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained unauthorized access to some of its internal systems and obtained customer data.

According to the airline, though, the most sensitive data bits, such as credit card data and passwords, were not among the breached items. WestJet is now informing the public of the incident in accordance with regulatory obligations.

What was exposed?

WestJet acknowledges that the data accessed during the June cyberattack varies between individuals. Compromised information may have included:

  • Names, contact details (e.g. phone, email)
  • Reservation and travel documentation submitted by guests (e.g. government IDs, passports, related documents)
  • Data regarding the guests’ relationship with WestJet (e.g. loyalty account and past interactions)

For some individuals, more sensitive information may have been included, though WestJet frames that as an exception. WestJet insists that no credit card or debit card numbers, expiration dates, CVV codes, or guest user account passwords were obtained in the breach. Additionally, the airline states that the safety or integrity of its flight operations was never at risk during the incident.

WestJet Rewards members’ impact

A data breach notification obtained by BleepingComputer additionally identifies that the exposed data includes:

  • WestJet Rewards Member ID, points, and other information
  • Additional information linked to your WestJet Rewards account, for members with WestJet RBC Mastercard, WestJet RBC World Elite Mastercard, or WestJet RBC World Elite Mastercard.

WestJet cyber attack timeline

On June 13, 2025, WestJet had detected suspicious activity in its systems, following which, the airline immediately initiated forensic investigation and containment efforts. As operations continued, customers experienced intermittent service interruptions or errors when accessing the WestJet app or website. On September 15, 2025, WestJet completed its technical and data analysis and prepared notices to affected U.S. residents.

The airline continued to provide updates on its investigation in the days following the incident, including a “Notice of Cybersecurity Incident for U.S. Residents,” and began sending out notifications. The airline engaged external forensic teams and cooperated with law enforcement agencies, including the FBI (for U.S. implications) and the Canadian Centre for Cyber Security.

WestJet encourages customers to stay vigilant. That means, checking account statements, monitoring credit reports, and reporting any suspicious activity promptly.

Ax Sharma

Ax Sharma is a UK-based security researcher, journalist and TV subject matter expert experienced in malware analysis and cybercrime investigations. His areas of interest include open source software security and threat intel analysis. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

US Air Force Probes Potential SharePoint-Linked Privacy Breach

The US Air Force is investigating a “privacy-related issue” that may have exposed personally identifiable…

17 seconds ago

Harrods third-party breach exposes 430,000 customer records, hackers reach out

London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in…

2 days ago

Did You Also Get a ‘Real’ Phishing Email From GitHub.com?

Imagine getting an email straight from GitHub’s own notification system: the same one you've trusted…

5 days ago

World’s Largest Supply Chain Cyber Attack… And just 5 Cents Stolen?

You probably saw the headlines: the world’s largest npm supply chain attack, chalk and debug-js…

7 days ago

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

2 years ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

2 years ago

This website uses cookies.