Canadian airline WestJet has revealed that 1.2 million customers have been impacted by a data breach following a June 2025 cyber-attack.
The firm provided the update in a data breach notification to the Office of the Maine Attorney General on September 29.
Following an investigation into the network intrusion, WestJet found that a range of customers’ personal information was accessed by the “criminal third party.”
This included names, contact details, documents and information provided in connection with their reservation and travel, and data regarding their relationship with WestJet.
Additionally, for WestJet Rewards Members, information linked to their membership may have been accessed by the attackers. This data could include their WestJet Rewards ID number and points balance on the date of the incident, as well as other information linked to the use of their account.
Passwords used to access Rewards accounts were not included in the breach.
WestJet RBC Mastercard, WestJet RBC World Elite Mastercard, or WestJet RBC World Elite Mastercard for Business cardholders may have had additional information compromised. This may include a credit card identifier type and information about changes to their WestJet points balance.
The data involved varies for individual customers, who are each being contacted by the firm about the incident.
“Importantly, credit card or debit card numbers, expiry dates and CVV numbers, and guest user passwords, were not compromised, and our systems are fully secure. At no time was the safety and integrity of our operations ever in question,” WestJet wrote in its notification letter to customers.
The airline acknowledged that the stolen data could be used for identity theft and fraud attacks, including in the context of any booked travel.
While it is not aware of any such misuse, the firm is offering identity theft protection services to relevant individuals “where appropriate.”
WestJet is cooperating with Canadian law enforcement and government agencies as it continues to investigate the incident.
No details about how the attack occurred have been shared. WestJet said the attack was carried out by a “sophisticated, criminal third party,” who gained unauthorized access to its systems.
“Given the significant importance of data security to the integrity of our business, we are prepared for incidents of this nature and followed our response planning by taking immediate action to contain the incident and secure our systems. As a result, at no point was the safety and integrity of our airline operations in question,” WestJet noted.
Air Travel Under Heavy Attack
The WestJet data breach, first identified on June 13, came amid a plethora of cyber incidents impacting major airlines in the summer months.
Other victims included Australian airline Qantas and Hawaiian Airlines.
Qantas later revealed that nearly six million customers had their personal data breached.
The main aim of these attacks appears to have been data theft rather than targeting the airlines’ physical operations.
The FBI warned on 27 June that the notorious Scattered Spider actor was actively targeting airlines with ransomware and data extortion attacks. The group targets third-party IT providers with social engineering techniques for initial access.
In September, a cyber-attack targeting a third-party software supplier caused flight cancellations and delays at several European airports, including London’s Heathrow Airport and terminals in Brussels, Berlin and Dublin.
UK authorities revealed on September 24 that they had arrested a man in connection with the attack.
Image credit: Ramon Cliff / Shutterstock.com