WestJet has confirmed that a cybersecurity incident first detected on June 13 resulted in the unauthorized access and theft of personal data belonging to approximately 1.2 million customers. The Canadian airline disclosed the scale of the breach after completing an internal investigation and notifying U.S. regulators. In a notification sent to affected customers, WestJet described the attack as the work of a sophisticated criminal group and confirmed that law enforcement agencies are assisting with the investigation.
The airline, one of North America’s largest carriers with a fleet of more than 150 aircraft serving 104 destinations, acknowledged that the data stolen varies by individual but in many cases included sensitive identification records. Exposed information may consist of full names, dates of birth, mailing addresses, travel documents such as passports and government-issued IDs, requested accommodations, filed complaints, WestJet Rewards member IDs, loyalty points, and details related to WestJet-branded credit cards.
Importantly, WestJet emphasized that no credit card or debit card numbers, expiration dates, CVV codes, or user account passwords were taken in the incident.
“We continue to work alongside our technical experts to determine the full extent of the incident,” WestJet wrote in its customer notification.
The incident was first made public on June 13, when WestJet announced a cybersecurity disruption that temporarily impacted internal systems and made the airline’s mobile app unavailable. At that time, officials provided limited information about whether customer data had been accessed. The recent disclosure now confirms that sensitive customer records were stolen.
According to details from the investigation, attackers used social engineering tactics to reset an employee password and gained access through a remote desktop gateway. Once inside, they moved laterally across WestJet’s Windows-based networks and into its Microsoft cloud environment, where they exfiltrated files containing customer data.
In the weeks following the initial disclosure, WestJet issued several updates to reassure customers that measures were being implemented to protect data. However, it was not until September 15 that the company finalized its review and confirmed the scale of the compromise. The breach notification was subsequently filed with U.S. regulators, including the Maine Attorney General’s Office, and distributed to impacted customers.
The company noted that recipients of its notification should alert other individuals who may have traveled under the same booking number, as their information could also have been exposed. WestJet further cautioned that the initial set of notifications may not represent the complete impact of the incident, as the investigation into compromised systems and stolen data is still ongoing.
“While investigations of this nature are complicated and take time to complete, we have worked as quickly as possible to review the data we understand to be involved,” the airline explained.
To assist affected individuals, WestJet is offering complimentary enrollment in a two-year identity theft protection and monitoring program. Impacted customers have until November 30 to register for the service. The airline also provided advice on monitoring accounts, reviewing travel records, and watching for suspicious activity that could indicate fraud or identity misuse.
The Federal Bureau of Investigation is assisting in the investigation, alongside Canadian cybersecurity authorities. WestJet stated that it has already taken steps to strengthen network security and prevent future incidents. These steps reportedly include enhanced monitoring of systems, stricter password reset procedures, and additional technical safeguards across remote access points.
The breach has placed WestJet under scrutiny not only from regulators but also from privacy advocates concerned about the protection of sensitive travel and identification documents. Given the nature of the information exposed—particularly passports and government IDs—security experts warn that affected individuals face heightened risks of identity theft and fraudulent account activity.
For an airline that transports over 25 million passengers annually, the scale of this breach represents one of the most significant cyber incidents in Canada’s aviation sector to date. Legal experts also note that WestJet could face regulatory inquiries and consumer lawsuits over the breach and its handling of customer data.
In its communications, WestJet stressed that it will continue providing updates as the investigation unfolds and is committed to improving its security posture. The company said that additional security measures are already being implemented, with more steps planned as forensic reviews conclude.
“The American people deserve results from their government.”
While the company has confirmed that sensitive identity and travel data were accessed, the airline reassured customers that no financial account numbers or passwords were included in the stolen files. Nevertheless, officials urged passengers to remain vigilant, review their records, and take advantage of the identity monitoring services being offered.
As the investigation continues, customers and regulators alike will be watching closely to assess both the long-term impact of the breach and the airline’s ability to rebuild trust.
