WestJet Customers Warned After Data Breach Exposes Passenger Passports and IDs

Canadian airline WestJet disclosed that sensitive information, including passenger travel documents, was exposed to criminals in a June cyberattack.

Data breach more serious than initially thought

WestJet has confirmed that a cybersecurity incident reported in June led to the exposure of sensitive personal data of passengers. While the airline initially described the attack as a disruption to internal systems and app services, a closer investigation revealed that passports, government IDs and other personal details were among the compromised information.

The breach notice, recently shared with customers and regulators in Canada and the United States, shines a light on the scale of the attack. The airline operates 153 aircraft across 104 destinations and carries over 25 million passengers annually, making the incident one of the most significant aviation-related breaches in recent years.

Personal and loyalty information compromised

The company’s review, concluded on Sept. 15, found that exposed data varied by individual. Records potentially accessed include:

• Full names
• Birth dates
• Mailing addresses
• Travel documents
• Special accommodation requests
• Customer complaints
• WestJet Rewards program information

Some customers’ WestJet RBC Mastercard account details were also compromised, though the airline said the details did not include credit card numbers, CVV codes or passwords.

Customers were advised that others traveling on the same booking number may also have been affected, implying that the fallout of the attack may have extended to colleagues, friends, and family members.

Investigation still ongoing

WestJet said it has yet to determine the full scope of the breach, suggesting that additional customers may be notified as the inquiry progresses. The airline is working closely with technical experts and law enforcement, including the FBI, to identify the culprits and prevent further intrusions.

While threat group Scattered Spider has targeted the aviation sector in recent months, WestJet has not named any suspects. The airline insists it has already taken “appropriate measures” to bolster its defenses.

Support for impacted customers

To mitigate risks, WestJet is offering impacted individuals two years of complimentary identity theft protection and credit monitoring, with enrollment available until Nov. 30. The company urged all recipients of its notice to remain vigilant for suspicious activity.

Dedicated software, such as Bitdefender Digital Identity Protection, can help you further mitigate the fallout of data breaches. It constantly scans both the public and the Dark Web for traces of your data, notifies you instantly if it detects signs of compromise, and helps you patch weak spots in your digital footprint with quick, one-click action items.