WestJet Data Breach Compromises 1.2 Million Passengers

WestJet has confirmed a data breach affecting 1.2 million passengers, compromising a significant amount of personal and travel data in one of the largest-ever breaches at a Canadian airline.

A notice filed with the Maine Attorney General also mentioned 240 affected residents there, underscoring the cross-border scope of the incident.

The airline said that the information potentially accessed by the hackers may include names, dates of birth, postal addresses, and travel documents such as passports and other forms of government-issued IDs. Data associated with customer service information and special needs was also included, along with details linked to WestJet’s loyalty program — from points balances to account numbers.

What data was exposed in the WestJet airline cyber breach

According to the regulatory filing, the dataset in question is sufficiently comprehensive to enable identity fraud and targeted phishing. Passport and government-issued ID details being exposed is particularly sensitive as those IDs can be abused to help with identity verification bypass (or used to create synthetic identities).

Reward accounts are in and of themselves a high-value target. Criminals often profit from frequent-flyer balances on black markets, or redeem them for travel, seat upgrades — even to launder money. Loyalty program takeovers have grown steadily higher, according to a number of fraud-monitoring firms — a pattern now seen across the airline industry.

Suspected attacker and techniques used in the breach

Industry analysts have tied the breach to Scattered Spider, a financially motivated group with a reputation for aggressive social engineering. This group of attackers has a history of calling IT helpdesks, posing as people and abusing account recovery mechanisms to achieve initial entry, then performing MFA fatigue or SIM swapping.

Law enforcement and private intelligence companies have warned time and again that transportation and aviation are number one in the crosshairs, given their interlinking systems and rich load of personal data. It has been linked to intrusions at other major travel brands, including a large Australian carrier that had millions of customer records exposed.

Regulatory and legal exposure facing WestJet after breach

As a federally regulated airline, WestJet is governed by Canada’s Personal Information Protection and Electronic Documents Act, which stipulates that organizations must notify those affected if the breach represents a real risk of significant harm. The Office of the Privacy Commissioner of Canada can investigate and make findings, and provincial regulators may have similar oversight for residents from their own jurisdictions.

Affected U.S. residents are subject to state-level notification laws — hence the disclosure with Maine’s attorney general. If European passengers are included, then there could also be liabilities under the EU’s data protection framework. Regulatory bodies around the world have in recent years indicated a decreased tolerance for lax identity verification, poor logging, and weak access control in industries handling sensitive travel information.

What affected WestJet passengers should do right now

• Beware phishing emails purporting to be from the airline or a government agency. Breach news is frequently weaponized by attackers. Don’t click account-reset links sent via text message or email; proceed directly to the airline’s website or app.
• Secure your loyalty account immediately: change the password to a unique passphrase (do not reuse it for any other service), and enable multifactor authentication, such as with an emailed code or SMS when making changes.
• If available, set up a PIN required for award redemptions on the web or phone. Check recent redemptions, and watch for any suspicious updates to contact details or stored payment methods.
• If you think your passport or government ID information is at risk, consider Passport Canada and Immigration, Refugees and Citizenship Canada’s advice on how to report and replace damaged documents. For financial protection, put an alert or freeze on both Equifax Canada and TransUnion, and look out for new credit inquiries you didn’t initiate.

Why airlines remain a high-value target for attackers

Passenger name records, identity documentation, and itinerary information are like a dense mosaic of personal data that can be used for fraud or highly targeted scams. The loyalty accounts sweeten the deal: They maintain a liquid, tradable value without setting off similar anti-fraud alerts that accompany traditional payment cards.

Security agencies, including the FBI and the Canadian Centre for Cyber Security, have stressed basic controls that consistently mitigate these attacks: strengthened help-desk identity verification, stringent least-privilege access for both staff and contractors, phishing-resistant multifactor authentication, and aggressive deprovisioning of dormant accounts. Full logging and network segregation can limit the blast radius in case of compromise.

What remains unclear about the scope and timeline of breach

WestJet has not publicly shared how its employees were initially compromised, whether any passwords were stored in hashed form, and whether payment card details were implicated.

It also remains unclear how long the attackers were inside the network before they were discovered and exactly what systems were accessed.

The airline had earlier confirmed a security incident and said it was working with external specialists. Customers should anticipate continuing notifications as the extent of this situation becomes more evident, and North American regulators may request more specifics on containment and remediation efforts.

The incident is a reminder that aviation security is no longer confined to airframes and itineraries. It is about identity, the integrity of data, and trust — three assets that take much longer to rebuild than a flight schedule.