In mid-June 2025, WestJet, Canada’s second-largest airline, discovered a cybersecurity breach that exposed sensitive passenger information. Though operations remained intact, the incident casts a spotlight on aviation industry vulnerabilities and the growing complexity of cyber threats.
Unfolding of the Incident
On June 13, 2025, WestJet detected “suspicious activity” within its IT infrastructure. This triggered an internal investigation that revealed unauthorized access to various systems—including its mobile app and internal platforms. According to the airline, customer and employee data were potentially compromised. However, crucially, it emphasized that airline operations remained safe and unaffected throughout the incident. Law enforcement and Transport Canada were immediately engaged to help contain and assess the breach.
A few days later, the Wall Street Journal reported that the breach did not disrupt flight operations, though customers might experience intermittent booking issues via the website or app. Law enforcement, including the Royal Canadian Mounted Police, were involved in the response. At the time, no direct link had been established between the incident and the G-7 summit being held in Alberta—WestJet’s home base.
Types of Data Exposed
Further reporting clarified the extent of the exposed information. While WestJet affirmed that credit or debit card details—and user passwords—were not compromised, the breach involved highly sensitive personal identifiers. These included:
- Names, dates of birth, email addresses, phone numbers, and mailing addresses
- Gender, recent travel booking history, and booking reference numbers
- Information regarding government-issued travel documents—such as passports or IDs used during travel
This aligns with accounts shared in a Reddit megathread summarizing WestJet’s communication. Passengers affected reported that data tied to their WestJet Rewards account may have been involved, including the Rewards ID, points balance, and—though not credit card specifics—some identifier types like “World Elite.”
Why This Matters
Passport data and travel history are exceptionally sensitive and high-value for criminals. Such information can facilitate identity theft, creation of forged documents, account takeover, and even black-market sales of forged credentials. As one report noted: “Passports could be misused for identity theft, fraud, or even fake travel documents.”
Although no financial fraud tools were leaked, the potential for long-term misuse remains high. A breach of this nature could erode passenger trust, require significant remediation costs, and invite regulatory scrutiny.
WestJet’s Response and Customer Protection Measures
Following the breach, WestJet launched a swift response:
- Launched technical and forensic investigations involving internal teams and external cybersecurity experts
- Implemented “additional system and data security measures” to fortify defenses
- Engaged Cyberscout, a division of TransUnion, to notify affected individuals and offer them 24 months of complimentary identity theft protection and monitoring services
- Confirmed that WestJet Rewards accounts, including points balances, were not compromised—as of current understanding
- Notified authorities including Transport Canada, the Office of the Privacy Commissioner of Canada, and other relevant provincial and international data protection agencies
Reddit users expressed concern about whether signing up for the offered protection waives their right to legal claims. Others asked if WestJet would reimburse costs for passport replacement or other consequences—but no blanket RSVP or liability waiver was mentioned in the airline’s communications. Some users noted mixed experiences: while some had no issues registering, others encountered authentication prompts—such as entering the last four digits of their SIN—even though providing a Social Insurance Number was reportedly not mandatory.
Broader Industry Context
This breach highlights a global trend: airlines are increasingly targeted by cybercriminals due to the wealth of personal and travel data they manage. Experts have likened airlines to “a perfect storm of opportunity” for attackers. Indeed, recent cyber incidents in the sector—like ransomware attacks on Seattle-Tacoma International and outages at Delta—underscore the operational and financial risks involved.
In Canada, the WestJet incident follows earlier breaches affecting critical infrastructure—such as unauthorized access to networks of energy provider Emera and Nova Scotia Power in April 2025—demonstrating a worrying rise in threats targeting national infrastructure.
Next Steps and Compliance Oversight
The breach is under active investigation. Federal and international privacy regulators are scrutinizing WestJet’s compliance with data protection obligations. The Office of the Privacy Commissioner and other authorities will evaluate whether WestJet took appropriate preventive measures before, during, and after the breach.
The airline states it is committed to strengthening cybersecurity, investing further in IT defenses, and enhancing resilience against evolving threats.
Conclusion
In June 2025, WestJet suffered a cybersecurity breach that exposed extensive passenger data—including passports, travel history, and personal identifiers—though sensitive financial information was spared. While operational continuity was maintained, the incident reveals critical vulnerabilities in the airline industry’s cyber defenses.
WestJet acted quickly—engaging experts to contain the breach, notifying authorities and customers, and offering two years of identity monitoring services. Still, the risk of identity fraud remains, and affected passengers are rightfully concerned about long-term consequences and clarity around legal recourse.
The event follows a wave of cyber intrusions targeting Canadian infrastructure, further underscoring the growing importance of robust cybersecurity in transportation. As investigations proceed and regulators assess compliance, WestJet’s response will serve as a case study in both crisis management and the imperative of digital resilience.