WestJet has confirmed that a cyberattack led to the unauthorized access and theft of personal data from its systems, including sensitive passenger information and WestJet Rewards account details.
The Canadian airline disclosed the breach to affected individuals in a formal notification dated September 29, 2025, following an investigation that began in mid-June.
The breach was first publicly acknowledged on June 13, when WestJet reported technical disruptions across its internal platforms, mobile app, and website. At the time, the airline stated that flight safety and operations remained unaffected, while forensic teams worked to determine the nature and scope of the compromise.
According to the consumer notification issued now, threat actors successfully exfiltrated data from WestJet's network after gaining unauthorized access. The attacker was described as a “sophisticated criminal third party,” and the company has involved both internal security experts and external forensic teams in its investigation. On September 15, the airline completed its review of the exposed data, confirming that a subset of US-based customers had their personal information compromised.
WestJet, Canada's second-largest airline with over 700 daily flights and more than 25 million annual passengers, plays a key role in North American and international air travel.
The stolen data includes the following categories of information:
- Full name, date of birth, and mailing address
- Details related to government-issued travel documents, including passport numbers
- Travel-related data, such as accommodations or filed complaints
- WestJet Rewards information, including ID numbers and point balances
- For co-branded WestJet RBC Mastercard holders, data indicating card tier and rewards changes
WestJet stressed that no credit or debit card numbers, expiration dates, CVV codes, or user passwords were exposed in the breach. The airline also stated there is no evidence at this time that WestJet Rewards points are at risk.
Affected individuals were offered a complimentary 24-month subscription to TransUnion's myTrueIdentity monitoring service, which includes daily credit report updates, dark web monitoring, and up to $1 million in identity theft insurance coverage. The breach has been reported to law enforcement, including the FBI, and WestJet claims to be cooperating with the investigation.
While the technical details of the attack, including the initial vector and threat actor identity, remain undisclosed, the company noted it had taken containment measures early in the incident and has since reinforced its systems.
WestJet customers should enroll in the free identity monitoring service before November 30, 2025, monitor credit reports and account statements for unusual activity, and stay alert for phishing attempts referencing the airline.
Leave a Reply