WestJet Data Breach Exposes Customer Passports and Government IDs

Introduction
A recent cybersecurity incident at Canadian airline WestJet has resulted in the exposure of sensitive customer data, including passport and government-issued ID information. The breach, initially disclosed in June 2025, has now been confirmed to involve significant personal data exfiltration, raising concerns over identity theft and privacy risks for affected individuals.

Background
WestJet, a major North American airline operating 153 aircraft and serving 104 destinations, disclosed a cybersecurity incident on June 13, 2025. The breach disrupted internal systems and rendered the WestJet mobile app temporarily unavailable. At the time, the Scattered Spider threat group was actively targeting aviation sector entities, although no official attribution has been made for this incident.

Initial communications from WestJet did not confirm whether sensitive data had been accessed. However, following a detailed investigation concluded on September 15, 2025, the airline confirmed that attackers had accessed a range of personal data. Notifications were shared with affected customers and relevant U.S. authorities.

Compromised Data
The breach exposed varying types of data per individual, including:
Full name
Date of birth
Mailing address
Travel documents such as passports or government-issued IDs
Requested accommodations and filed complaints
WestJet Rewards Member ID, points, and related information
WestJet RBC Mastercard, WestJet RBC World Elite Mastercard program information
Importantly, no credit card or debit card numbers, expiration dates, CVV codes, or user passwords were compromised in the breach.

Mitigation Measures
WestJet has taken several steps to mitigate the impact of the breach:
Notified affected individuals and advised them to inform others who may have traveled under the same booking number, as their data may also be at risk.
Offered a free 2-year identity theft protection and monitoring service, redeemable by November 30, 2025.
Engaged technical experts to assess and contain the breach.
Implemented enhanced security measures to prevent future incidents.