A WestJet data breach has exposed the sensitive personal information of 1.2 million passengers after sophisticated hackers breached the airline’s internal systems, locking some users out of their accounts.
“WestJet is aware of a cybersecurity incident involving internal systems and the WestJet app, which has restricted access for several users,” it stated.
The Calgary, Alberta-based carrier said the cyber intrusion occurred on June 13 and was detected due to suspicious activity on its network, which it attributed to a “sophisticated, criminal third party.”
It responded by activating specialized internal teams and working with law enforcement authorities, the Canadian Centre for Cyber Security (CCCS), and Transport Canada to investigate the incident.
WestJet data breach impacts 1.2 million people
On September 15, WestJet concluded the investigation and determined that the cyber attack had leaked the personal information of 1.2 million people.
“The investigations to date have established that the unauthorized third party obtained certain data from our network,” WestJet told American customers.
The data breach leaked customers’ names, dates of birth, mailing addresses, travel documents such as passports or ID numbers, and travel information, such as accommodation details and complaints raised.
Similarly, WestJet Rewards Member information, including Rewards ID number, points balance, and account use information, was compromised.
The data breach also exposed the credit card identifier types, such as “World Elite” for WestJet RBC MasterCard, WestJet RBC World Elite MasterCard, or WestJet RBC World Elite MasterCard for Business cardholders.
However, it did not expose customer account login credentials and actual credit card information, such as card number, CVV, or expiry date.
Although the leaked personal data poses no direct risk to impacted individuals, hackers could utilize it to create compelling phishing messages that could compromise more significant personal information.
“The information stolen, such as passport information or government identification, along with the other personal information, such as more typical addresses and date of birth, can be enough to facilitate some significant identity theft,” lamented Erich Kron, CISO Advisor at KnowBe4. “The fact that accommodations were among the list of information stolen can also have a more significant impact, both by attackers scamming the victims, and for WestJet if the leakage of medical information violates any regulatory rules.”
Meanwhile, WestJet has notified U.S. regulatory and law enforcement authorities, including the Office of the Maine Attorney General and the Federal Bureau of Investigation (FBI).
The North American carrier also said it took the necessary measures to safeguard air safety and protect personal information, and began working to restore the impacted systems.
It also implemented additional security measures to prevent a similar data breach in the future. In addition, victims will receive 24 months of complimentary identity theft monitoring to prevent hackers from using their leaked details fraudulently.
Victims should also take personal security measures by monitoring their accounts for suspicious activity and avoid sharing personal information online.
Scattered Spider breaches Canada’s WestJet
So far, WestJet has not attributed the data breach to any threat group or disclosed the attack vector. Similarly, no hacking group has publicly claimed responsibility for the cyber attack.
However, some cybersecurity experts and media reports have attributed the cyber attack to the notorious English-speaking hacking group Scattered Spider.
While the attack vector remains undisclosed, the hacking group leverages social engineering and phishing to breach organizations, pivot to other systems, and exfiltrate data before demanding a ransom.
“A number of recent attacks such as this use social engineering, telephone calls specifically, to get help desk employees to reset passwords or multi-factor authentication information for accounts, such as employee accounts, that attackers are targeting,” added Kron. “Once they’ve gained access to a legitimate account, it can be used to perpetuate other attacks against others within the organization, or to impact systems that can be used to steal information or spread malware such as ransomware.”
Previously, the FBI, Google’s cybersecurity firm Mandiant, and Palo Alto’s threat intelligence branch Unit 42 had warned about Scattered Spider targeting the aviation industry. The FBI had specifically warned that anyone within the aviation ecosystem was a potential Scattered Spider’s target.
The group, which consists of teenagers and young adults, was linked to cyber attacks on luxury retailers in the U.K., which resulted in the arrest of four suspected members.

