WestJet Investigates Cyberattack Disrupting Internal Systems and App Access WestJet, Canada’s second-largest airline, is responding to a cybersecurity incident that has disrupted access to some internal systems and its mobile app. The company confirmed the breach in a statement, noting that specialized teams—along with law enforcement and Transport Canada—have been activated to investigate and mitigate the impact. While details remain limited, the incident has restricted user access to certain services, though the full scope of the disruption is still under assessment. WestJet has not disclosed whether the attack involved ransomware, data theft, or other malicious activity. The breach follows a broader trend of cyber threats targeting critical infrastructure and transportation sectors, underscoring the ongoing risks to operational and customer-facing systems. No further updates on the investigation or potential data exposure have been released.

WestJet, a major Canadian airline serving over 25 U.S. destinations, suffered a cybersecurity incident where a criminal third party gained unauthorized access to personally identifiable information (PII) of over a million individuals. The compromised data included names, dates of birth, addresses, passport/government-issued ID numbers, and medical information. The breach exposed highly sensitive customer data, prompting legal action by Lynch Carpenter, LLP, a national class-action law firm investigating claims for potential compensation. The incident highlights severe risks to customer privacy, financial security, and trust in the airline’s data protection measures, with potential long-term reputational and financial repercussions. The breach notification suggests widespread exposure, increasing the likelihood of identity theft, fraud, and regulatory penalties under data protection laws (e.g., Canada’s PIPEDA or GDPR for affected EU travelers).

WestJet, Canada’s second-largest airline, suffered a sophisticated cyberattack in mid-2025, resulting in the unauthorized access and theft of sensitive passenger data. The breach, disclosed on September 29, 2025, confirmed that a criminal third party exfiltrated personal information, including full names, dates of birth, mailing addresses, passport numbers, travel-related details (accommodations, complaints), and WestJet Rewards account data (IDs, point balances). While credit/debit card numbers, CVV codes, and passwords remained uncompromised, the attack exposed government-issued travel documents and loyalty program details of a subset of US-based customers. The airline initiated containment measures early in the incident and engaged internal security teams and external forensic experts to investigate. Affected individuals were offered 24 months of TransUnion’s myTrueIdentity monitoring (credit reports, dark web monitoring, $1M identity theft insurance). The breach was reported to law enforcement, including the FBI, though the initial attack vector and threat actor identity remain undisclosed. WestJet emphasized no evidence of Rewards points being misused but warned customers to monitor for phishing attempts and unusual account activity. The incident highlights risks to customer trust, regulatory scrutiny, and potential financial fraud, though flight operations remained unaffected.

Airlines Hit by Cyber Attacks Ahead of Holiday Travel Surge Multiple airlines including Hawaiian Airlines, WestJet, and Qantas reported cyber attacks on their IT systems in the days leading up to the Fourth of July holiday travel rush. The FBI has attributed the incidents to Scattered Spider, a hacking group known for using social engineering and third-party vendor exploits to breach large organizations. Hawaiian Airlines and WestJet confirmed attacks within the past week, with the Federal Aviation Administration (FAA) stating on June 26 that the Hawaiian Airlines breach had no impact on flight safety. WestJet launched an internal investigation, while Qantas disclosed a separate attack on June 25, revealing that a third-party customer service platform was compromised before the breach was contained. The FBI issued a warning on June 28, identifying Scattered Spider as the likely culprit behind the airline sector targeting. Airlines are responding by collaborating with authorities, strengthening cybersecurity measures, and notifying affected customers as investigations continue. The attacks highlight growing cyber risks in the travel industry, particularly as reliance on third-party vendors increases. While no operational disruptions or safety issues have been reported, the incidents underscore the need for heightened security in an increasingly digital travel ecosystem.

Cybercriminal Group Scattered Spider Targets North American Airlines in Recent Attacks At least two major North American airlines WestJet and Hawaiian Airlines have confirmed cyberattacks in June, as the FBI and cybersecurity firms warn of a surge in threats against the aviation industry. The attacks have been linked to Scattered Spider, a notorious cybercriminal group known for its social engineering tactics and ransomware deployments. WestJet first detected the breach on June 13, stating it had made "significant progress" in resolving the incident, though details on operational disruptions remain unclear. Hawaiian Airlines disclosed in an SEC filing on June 17 that it had identified a hack but confirmed flights were operating normally. Meanwhile, American Airlines reported a separate "technology issue" on June 21, though it has not confirmed whether the incident was cyber-related. Scattered Spider, described by cybersecurity firms as a loosely organized group of young, English-speaking hackers, specializes in phishing and social engineering to gain access to corporate systems. Once inside, they often hand off control to ransomware operators, who lock critical systems and demand payment. The group has previously targeted Las Vegas casinos in 2023 and British retailers earlier this year, causing widespread disruptions, including supply chain shortages for Whole Foods. The FBI issued a public warning on June 21, stating that Scattered Spider was actively targeting aviation and that the agency was collaborating with industry partners to mitigate the threat. Google’s Mandiant and Palo Alto Networks have also observed the group’s recent focus on the sector, with Mandiant’s CTO, Charles Carmakal, noting multiple incidents in transportation and aviation. While both WestJet and Hawaiian Airlines have assured that flights remain unaffected, the full scope of the breaches including potential data exposure remains under investigation. The attacks underscore the aviation industry’s growing vulnerability to sophisticated cyber threats.

WestJet, a Canadian airline, confirmed a cybersecurity breach in June 2025 where a criminal third party accessed its network, exposing passengers' personal data. While flight operations and financial details (credit cards, passwords) remained secure, stolen information included names, dates of birth, mailing addresses, passport/government ID details, and WestJet Rewards data (IDs, point balances). Non-sensitive data for WestJet RBC Mastercard holders was also compromised. The airline collaborated with law enforcement (FBI) and regulators (Transport Canada), offering 24 months of free identity theft monitoring via TransUnion, including $1M expense reimbursement. The breach, attributed to social engineering tactics like phishing, underscored risks of identity theft and scams from exposed travel-related data. No ransomware was explicitly confirmed, but the attack highlighted vulnerabilities in customer service roles and human risk management.

In June 2025, WestJet fell victim to a cyberattack executed by a sophisticated, criminal third party, resulting in the unauthorized access of some passengers' personal information. While the airline confirmed the breach, it clarified that most compromised data was not classified as 'sensitive'—suggesting the exposure may have included non-critical details like basic contact information or booking references rather than financial, health, or highly confidential records. The incident prompted a formal notice to affected U.S. residents, indicating cross-border implications. WestJet’s ongoing investigation suggests the attackers targeted passenger data, but the absence of large-scale financial fraud or systemic operational disruption implies the impact was contained to personal (non-sensitive) information leaks. The airline has not disclosed whether the breach stemmed from a vulnerability, phishing, or direct infiltration, but the involvement of a criminal actor points to a deliberate cyber attack rather than an accidental exposure.

Canadian airline WestJet suffered a cyberattack in June 2024, compromising the personal data of 1.2 million customers. The breach, attributed to social engineering (password reset of an employee via Citrix), allowed attackers to infiltrate Windows and Microsoft cloud networks. Exposed data included full names, dates of birth, mailing addresses, passports/government IDs, travel documents, accommodation requests, complaints, and WestJet Rewards/Mastercard details (excluding credit/debit card numbers, CVVs, or passwords). The FBI is investigating, and WestJet offered 2-year identity theft protection to affected individuals. The airline, serving 25M+ travelers annually, warned that the full scope remains undetermined, with potential further exposures under shared booking numbers. Threat actors linked to Scattered Spider (targeting aviation) were suspected but not officially confirmed.

In mid-June 2023, WestJet, a Canadian airline, suffered a cybersecurity breach executed by a sophisticated criminal third party that infiltrated its IT systems. While the breach was swiftly contained and did not compromise flight safety, credit card details (including CVV numbers and expiration dates) or customer passwords, sensitive passenger information was exfiltrated. The stolen data varied in sensitivity: for most affected individuals, the exposed information was non-sensitive, but for a subset of customers, it included personal details (name, contact information), travel-related documents (reservation and booking data), and records of their relationship with WestJet. The airline conducted a forensic investigation with internal and external experts, collaborating with Transport Canada, the FBI, the Canadian Centre for Cyber Security, and credit agencies (TransUnion, Experian, Equifax) to mitigate risks. WestJet is actively notifying impacted customers, though the exact scale of the breach—beyond the confirmation of personal (non-financial) data leakage—remains undisclosed. The incident aligns with a broader trend of escalating cyber threats in the aviation sector, following similar attacks on Qantas, Aeroflot, and Collins Aerospace in 2023.

WestJet app suffered from a data breach incident due to technical issues that, leaks of consumers' sensitive information. The compromised information includes profile information, phone numbers, home addresses, birthdates, email addresses, WestJet dollars, and flight voucher details. Some have also revealed that they could see the last four digits of another user’s credit card number. They investigated the incident and took guests' privacy extremely seriously.