WestJet Data Breach Impacts 1.2 Million Travelers
▼ Summary
– WestJet’s June cyberattack compromised personal data of 1.2 million customers, including passports, IDs, and travel information.
– The breach occurred through social engineering that allowed attackers to reset an employee password and access WestJet’s network via Citrix.
– Exposed data includes names, addresses, birth dates, reward member details, and Mastercard information, but no financial data or passwords.
– WestJet is providing free 2-year identity theft protection and collaborating with the FBI in ongoing investigations.
– The airline confirmed the breach impact on September 15 and is still determining the full scope of the incident.
A significant data breach at Canadian airline WestJet has compromised the personal information of approximately 1.2 million travelers, with exposed data including sensitive travel documents like passports and government IDs. The airline confirmed the scale of the incident after concluding its internal investigation, revealing that hackers accessed a wide range of customer details through a sophisticated network intrusion.
WestJet, which operates a fleet of 153 aircraft and serves more than 25 million passengers across 104 destinations each year, first disclosed the cybersecurity event in mid-June. At that time, the breach disrupted internal operations and made the company’s mobile application unavailable. Though unconfirmed, security researchers noted that threat actors linked to the group known as Scattered Spider were actively targeting aviation sector organizations around the same period.
Investigations revealed that the attackers used social engineering tactics to reset an employee’s credentials, gaining initial access through a Citrix remote-access system. This foothold allowed them to move laterally into WestJet’s Windows network infrastructure and portions of its Microsoft cloud environment.
In the immediate aftermath, WestJet published several statements emphasizing that protective measures were underway, but did not confirm whether any personal customer information had actually been stolen. That changed when the airline submitted formal data breach notifications to affected customers and U.S. regulatory bodies, including the Maine Attorney General’s Office.
The compromised information varies by individual but can include full names, dates of birth, home addresses, and various travel-related documents. Details about requested accommodations, filed complaints, and WestJet Rewards membership data, including member IDs and point balances, were also accessed. Information related to co-branded Mastercard accounts issued by RBC was exposed, though the airline clarified that no payment card numbers, expiration dates, CVV codes, or account passwords were taken.
WestJet is urging notification recipients to inform others who may have traveled under the same booking reference, since their information could be at risk as well. The company acknowledged that the full scope of the incident is still under review, meaning additional individuals might be affected.
In a customer letter, WestJet explained, “We continue to work alongside our technical experts to determine the full extent of the incident. While investigations of this nature are complicated and take time to complete, we have worked as quickly as possible to review the data we understand to be involved.”
The airline confirmed that the Federal Bureau of Investigation (FBI) is assisting with the ongoing probe and that additional security measures have been implemented to prevent future attacks. Impacted customers are being offered a free 24-month identity theft protection and monitoring service, which must be activated by November 30.
(Source: Bleeping Computer)
