WestJet Confirms June 13 Cyberattack Exposed Passenger Data

WestJet confirmed a June 13 cyberattack gave a “sophisticated, criminal third‑party” unauthorized access to internal systems, briefly disrupting its app and website before access was restored within about two days. An investigation completed in mid‑September found attackers accessed varying customer data — including names, contact details, dates of birth, travel documents such as passports or government IDs, and reservation and loyalty‑program information — but did not obtain payment card numbers, CVVs, expiry dates or user passwords. WestJet has begun notifying affected customers, is offering identity‑theft protection services, publishing guidance and warning people to watch for phishing and fraud, and says it is not aware of any misuse so far. The airline is working with forensic experts, law‑enforcement and government authorities, including U.S. agencies, and has not publicly attributed the attack to a named group despite contemporaneous activity by groups such as Scattered Spider in the sector. Security experts warn that exposed passports and IDs could be used for identity theft and recommend protective steps for impacted customers.