382/68 Friday, October 3, 2025
Canadian airline WestJet has disclosed that a cyberattack in June led to the theft of personal data belonging to over 1.2 million customers, including travel documents such as passports and government-issued IDs. The company confirmed the findings of its investigation and reported the incident to relevant authorities on September 15, 2025.
The attack, which occurred on June 13, 2025, disrupted internal systems and rendered the WestJet app unusable. Reports indicate that attackers may have leveraged social engineering to reset an employee’s password, then exploited Citrix systems to gain access to WestJet’s Windows network and Microsoft Cloud environment. Stolen data included names, dates of birth, addresses, travel documents, passenger complaints, hotel booking information, WestJet Rewards membership numbers and points, as well as WestJet–RBC co-branded credit card details. However, the airline stressed that credit card numbers, CVV codes, expiration dates, and customer account passwords were not compromised.
WestJet noted that the investigation is ongoing and the full scope of the breach may extend beyond what has been disclosed so far. As an immediate response, the airline is offering two years of free Identity Theft Protection & Monitoring services to affected customers. The company also emphasized that it is working closely with technical experts and the FBI to determine the root cause of the breach and has implemented additional security measures to prevent similar incidents in the future.
