WestJet Airlines said today that some of its customers’ personal information was stolen in a June cyberattack, though the carrier maintains that sensitive financial data was not compromised.
The Calgary-based airline disclosed that a “sophisticated, criminal third party” gained access to its systems on June 13. While credit card numbers, expiration dates, CVV codes, and user passwords were not taken, investigators found that passenger records – including names, contact details, reservation documents, and information tied to customer accounts – were exposed.
“Containment is complete, and some additional system and data security measures have been implemented,” the airline said in a statement, adding that further analysis is ongoing. WestJet has retained Cyberscout to provide fraud assistance and remediation services for affected customers.
The airline said it is working with the Federal Bureau of Investigation, the Canadian Centre for Cyber Security, and multiple privacy regulators in both Canada and the United States. Notifications were also sent to U.S. residents potentially affected, as well as state attorneys general, credit reporting agencies, and federal transport officials.
The timing of the disclosure has raised eyebrows. “It’s unfortunately not a surprise. I feel like it’s a random sampling of when these attacks hit,” said Anthony Dagostino, president and chief underwriting officer at Avoca Risk. “It, number one, makes you question – was the information encrypted or protected? Are they doing this just for, you know, notification purposes to get it out there? … It also makes you wonder on the timing.... it was June, we’re now nearing October. So that is a little bit of time that has gone by before it was kind of disclosed. It’s just another reminder for companies where I think obviously protecting the information is important. Important how you respond, especially with public. This was a Canadian company, but in the US, publicly traded companies have some pretty strict requirements on when they notify of that type of event. And it’s a much, much shorter time frame than the four months we’re talking about, or three months.” he said
The breach adds to a string of recent cyber incidents targeting the aviation sector. Earlier this month, a ransomware attack on Collins Aerospace, a division of RTX, disrupted operations at several European airports, paralyzing check-in and baggage systems.
For insurers, the WestJet case underscores the rising exposure of airlines and travel operators, whose operations depend on vast stores of passenger data and interconnected digital systems. The incident highlights not only the importance of preventive cybersecurity measures but also the reputational and regulatory consequences of delayed disclosures.
