WestJet Airlines disclosed a data breach on October 1, 2025 that compromised the personal records of approximately 1.2 million passengers. The breach, which occurred on June 13, 2025, went undetected for over three months before WestJet's security team identified the unauthorized access during a routine audit. The incident has raised serious questions about cybersecurity practices in Canada's aviation sector.
What Happened
The attack occurred on June 13, 2025 when threat actors exploited compromised credentials to gain initial access to WestJet's passenger data systems. Analysis indicates the attackers followed techniques consistent with MITRE ATT&CK framework tactics, specifically credential access methods to obtain valid accounts, followed by data staging techniques to collect and package large volumes of passenger records for exfiltration.
WestJet publicly disclosed the breach on October 1, 2025 after completing an initial forensic investigation. The nearly four-month gap between the breach and disclosure has drawn criticism from privacy advocates and regulators, though WestJet maintains the delay was necessary to fully understand the scope of the compromise.
Scope of the Breach
Approximately 1.2 million passenger records were compromised, including:
- Full legal names and dates of birth
- Residential and mailing addresses
- Travel document details (passport numbers and expiry dates)
- WestJet Rewards loyalty program account information
- Flight booking history and itinerary data
WestJet has confirmed that no credit card numbers, payment information, or account passwords were exposed in the breach. However, the combination of passport data with personal identifiers creates significant identity theft and travel fraud risks for affected passengers.
WestJet's Response
Following the disclosure, WestJet took the following remediation actions:
- Engaged a leading cybersecurity firm to conduct a comprehensive forensic investigation
- Reported the breach to Transport Canada and the Office of the Privacy Commissioner of Canada
- Offered 24 months of complimentary identity theft protection to all affected passengers
- Forced a password reset for all WestJet Rewards accounts
- Implemented enhanced multi-factor authentication across all internal systems
What Affected Passengers Should Do
If you travelled with WestJet or hold a WestJet Rewards account, CyberSafe recommends the following actions:
- Enroll in the 24-month identity theft protection service offered by WestJet
- Monitor your passport for any unauthorized use and consider reporting it to Passport Canada if your data was compromised
- Change your WestJet Rewards password and any other accounts that shared the same credentials
- Be vigilant for targeted phishing emails referencing your travel history or loyalty account
- Place fraud alerts with Equifax Canada and TransUnion Canada
- Review your credit reports for any unfamiliar inquiries or accounts
Aviation Security Implications
The WestJet breach highlights a growing concern across the global aviation industry. Airlines store vast quantities of sensitive passenger data, including government-issued identity documents, making them high-value targets for sophisticated threat actors. The exposure of passport details is particularly alarming as it can facilitate travel document fraud and border security evasion.