Canadian airline WestJet has officially confirmed that the cybersecurity incident disclosed in June led to the exposure of highly sensitive customer data, including passports, government-issued IDs, and personal travel details. The breach highlights the growing risks facing the aviation industry, a sector increasingly targeted by advanced hacking groups.
The airline, which operates a fleet of 153 aircraft and serves 104 destinations across North America, carries over 25 million travelers annually. On June 13, 2025, WestJet reported that certain internal systems had been disrupted and its mobile app became unavailable. While initial updates assured customers that protective measures were being enforced, the company did not confirm whether sensitive data had been accessed. That uncertainty ended with the results of an investigation finalized on September 15, revealing the true scale of the breach.
According to WestJet’s notification to affected individuals and authorities in both Canada and the United States, the compromised data varies per passenger but may include full names, dates of birth, mailing addresses, passports, government IDs, travel history, special accommodation requests, filed complaints, and WestJet Rewards program details. Customers who held a WestJet RBC Mastercard or WestJet RBC World Elite Mastercard may also have had related information exposed, though the airline clarified that no credit or debit card numbers, CVVs, or user passwords were stolen.
In a particularly concerning detail, WestJet warned passengers that anyone traveling under the same booking number might also have had their personal data compromised. The company has emphasized that its technical experts and the FBI remain actively involved in the ongoing investigation to assess the full scope of the incident.
WestJet’s transparency now contrasts with its initial caution. The notification also included instructions for affected customers to enroll in a free two-year identity theft protection and monitoring program, which must be activated by November 30, 2025. This move aims to restore confidence and mitigate the potential fallout from compromised identity documents, which are highly valuable on dark web marketplaces.
The breach comes amid a broader trend of cybercriminals targeting aviation. Around the time of the incident, the Scattered Spider threat group was linked to similar attacks on airlines and travel-related firms, though no official attribution has been made for the WestJet hack. The incident underscores that airlines, with their vast databases of passenger identities and travel records, remain prime targets for cyber espionage and financial fraud schemes.
Conclusion: The WestJet data breach is a reminder that even industry giants must continually adapt to evolving cybersecurity threats. For passengers, the exposure of passports and government IDs poses long-term risks that extend beyond credit card fraud, underscoring the importance of identity monitoring and protective services. As cybercriminals escalate their focus on airlines, robust data security frameworks will be critical to safeguarding both travelers and the aviation sector itself.
