Canada’s WestJet has begun notifying 1.2 million American customers whose sensitive data was impacted after hackers breached the airline’s systems in June.
The notice, according to WestJet Loyalty customers on Reddit, stated the airline had first identified the “suspicious activity” on June 13th.
“We are writing to update you on our investigation, which involved some of our systems which hold your personal information,” it said.
“It is possible that this information could be used for identity theft or fraud. We are communicating this to you so that you can take the steps outlined below to protect yourself, “ the Calgary, Alberta-based airline stated.
Sensitive data exposed
WestJet revealed on September 30th that 1.2 million Americans have been impacted, also noting it has informed the appropriate US State Attorney General’s offices, including the Office of the Maine AG, which provided a copy of the letter.
"We diligently conducted an extensive analysis to identify specific data elements and locate current contact information for certain United States residents who were impacted. As of September 15, 2025, we completed our analysis, and as a result, are providing this notice," it said.
Blaming the intrusion on a "sophisticated, criminal third party," WestJet’s Cyber Response team confirmed the sensitive data accessed by the perpetrators included:
- name, date of birth, gender,
- e-mail address, mailing address, phone number
- recent travel booking history, such as travel booking number
- travel documents used to book, such as passport or other government-issued ID
- Travel information linked to other people, such as family members travelling under the same booking number
- other travel information, such as accommodations requested, complaints filed.
The cyber team stressed in the notice that no “credit card or debit card numbers, expiry dates and CVV numbers, or guest user passwords,” were compromised, and that the type of compromised personal information varies from person to person.
“At no time was the safety and integrity of our operations ever in question,” the airline said.
All WestJet RBC Mastercard holder accounts linked to a WestJet Rewards account may also have been compromised, such as the type of WestJet Mastercard ( Elite, Business, etc.), as well as information about points balances, the letter stated, adding that Mastercard card account numbers, expiration dates, and CVV security codes were not affected.
Additionally, any information linked to WestJet Rewards Member accounts may have been impacted, including WestJet Rewards ID number, changes to points balances on June 13th, and other information linked to the loyalty account.
Although WestJet did not reveal if it had identified the hackers responsible, security researchers believe the Scattered Spider ransomware group, also known as UNC3944, may have been behind the attack.
The M&S attackers set out on a hacking campaign targeting the North American aviation sector earlier this summer, allegedly breaching several airlines, including Hawaiian Airlines and Alaska Airlines.
Last month, the airline confirmed WestJet customer data had been stolen in the June breach, and an official investigation had been launched by the OPC, the Office of the Privacy Commissioner of Canada.
Authorities involved with the investigation include the Canadian Centre for Cyber Security and the FBI.
The airline is offering free credit moitoring to all notified passengers.
Your email address will not be published. Required fields are markedmarked