Earlier this year, WestJet revealed that some of its passengers were affected by a cyberattack that resulted in the theft of personal information. The WestJet data breach, which took place in June 2025, has now been confirmed to be targeting passenger data.
While the airline has confirmed that no credit card numbers, debit card details, or user passwords were compromised, the breach involved sensitive information such as passports and other travel-related data. In a conversation with TCE, WestJet answered multiple questions related to the incident. The questions were shared via a update listed on the website.
The WestJet Data Breach
The WestJet data breach was discovered on June 13, 2025, when the airline detected suspicious activity within its systems. A subsequent investigation confirmed that an unauthorized third party had gained access to parts of the airline’s infrastructure.
The stolen data varies for each affected individual, but it includes personal details such as names, dates of birth, email addresses, phone numbers, and mailing addresses. Additionally, recent travel booking information, including booking numbers, was also compromised.
More concerning, however, is the exposure of travel documents, such as passports or other government-issued identification information, which are highly sensitive and valuable to criminals.
WestJet clarified that no credit card or debit card numbers were obtained during the cyberattack. Similarly, user passwords associated with accounts were not part of the breach. Despite these reassurances, the stolen personal data, including travel history and passport information, could still be used for identity theft or fraud.
Response to the WestJet Cyberattack
Following the discovery of a cybersecurity incident on June 13, 2025, WestJet took immediate action to investigate and contain the breach. According to the airline, the suspicious activity was traced to “a sophisticated criminal third party who gained unauthorized access” to its systems. WestJet emphasized that “at no point was the safety and integrity of our airline operations in question.”
The airline engaged both internal teams and external cybersecurity experts to perform a thorough technical and forensic analysis. WestJet later confirmed that the incident was “successfully contained” and that it had implemented “additional system and data security measures” to protect against future threats.
Despite containment, the investigation confirmed that “certain data was illegally obtained,” including information from some travel bookings and limited employee data. Importantly, WestJet noted that “no credit card or debit card numbers and no guest user passwords were obtained.”
In line with regulatory requirements, WestJet is proactively reaching out to affected individuals through its authorized partner Cyberscout, a division of TransUnion. Impacted guests are being offered 24 months of complimentary identity theft protection and monitoring services to help safeguard against potential misuse of their data.
The airline also assured customers that WestJet Rewards accounts were not compromised, stating, “We have no indication that WestJet points or point systems are at risk as a result of this incident.” Flight bookings remain unaffected, and the company continues to encourage passengers to monitor their accounts and remain vigilant against phishing and scams.
The Cyber Express reached out to WestJet for further clarification regarding the breach. In response, WestJet addressed multiple concerns and reiterated its commitment to data privacy and security. The company stated, “We take this situation very seriously. Privacy and information security are top priorities, and strict measures are in place to protect the information in our care.”
Furthermore, WestJet reported the breach to appropriate authorities, including Transport Canada, the Office of the Privacy Commissioner of Canada, and provincial and international data protection bodies. The airline has pledged ongoing efforts to strengthen its cyber defenses, adding, “Although our IT defences have always been strong, we have bolstered our defences to further enhance our system’s security and overall IT infrastructure.”
As cyber threats continue to evolve, WestJet maintains that its cybersecurity remains a strategic priority. “We invest in cybersecurity capabilities as a key priority to improve and enhance our cyber resiliency,” the airline concluded.
Regulatory Oversight and Ongoing Investigation
Following the WestJet data breach, the airline notified the relevant authorities, including Canada’s Privacy Commissioner, Transport Canada, and other provincial and international bodies.
The breach is under investigation by the Office of the Privacy Commissioner of Canada, which will assess whether the airline met its legal obligations regarding data protection. In addition, WestJet has worked closely with law enforcement agencies and the Canadian Centre for Cyber Security to identify the perpetrators behind the attack.
While WestJet has contained the breach, the investigation is still ongoing. The airline has implemented additional security measures to strengthen its systems and prevent similar incidents in the future. The company has also made further updates to its cybersecurity protocols as part of its ongoing response to the attack.
