WestJet has admitted that a cyberattack on its systems earlier this year resulted in the theft of personal details from some passengers, including information drawn from travel documents such as passports. Payment card details and user passwords, however, were not taken.
The airline said the compromised data differs from person to person but may include names, dates of birth, contact information, gender, and recent booking records, including reservation numbers. Details from government-issued identification used for travel were also among the data taken.
In correspondence to those affected, WestJet warned that the stolen information could be used for identity theft or fraud, and said it would provide two years of free identity monitoring. The intrusion was detected on June 13, when the airline found that criminals had temporarily accessed some systems. The Office of the Privacy Commissioner of Canada has opened an inquiry.
The breach is the latest in a string of incidents affecting carriers across several jurisdictions. Hawaiian Airlines and Qantas have recently reported cyber intrusions, while the FBI has cautioned that the hacking group known as Scattered Spider has shifted its attention to the aviation sector.
Security specialists say that airlines remain attractive targets because of their vast repositories of personal data, often held on interconnected legacy platforms. The concentration of high-value information, combined with seasonal peaks in activity, increases the opportunity for exploitation.
Scattered Spider, also identified by analysts as UNC3944, has been linked to high-profile attacks on MGM Resorts and Caesars Entertainment. It is known for using advanced social engineering – including phishing, SIM swapping and impersonation – to bypass multifactor authentication.
For Canadian insurers, the incident is another reminder of the complexity of underwriting and managing cyber risk in data-rich industries. While credit card numbers were untouched, exposure of identity documents can generate substantial long-term liabilities through monitoring costs, regulatory compliance, and litigation risk.
The breach comes amid heightened alert in the insurance sector itself. In the United States, both Erie Insurance and Philadelphia Insurance have reported network intrusions consistent with Scattered Spider’s methods. In each case, attackers exploited staff-facing service environments to obtain footholds in corporate networks.
Industry analysts suggest that aviation and insurance operators alike should re-examine their identity-verification protocols, privileged-account management and vendor access arrangements. For insurers, the concerns are twofold: the direct underwriting exposure to aviation clients, and indirect exposure through travel-related lines and affinity products.
With official investigations under way, and the possibility of further disclosures, WestJet’s case illustrates that the same actors are now assailing sectors as diverse as airlines and insurers – and doing so with increasing sophistication.
Previously speaking to Insurance Business Canada, Steven Godfrey, head of aviation at HDI Global SE, noted that incidents like these underscore the need for aviation clients to approach risk holistically. While a hack of an airline booking system is “strictly a cyber exposure” and not covered under an aviation policy, Godfrey said it highlights the value of involving underwriters from multiple lines of business to craft more robust, gap-free coverage.
“I think it's a little early to talk about lessons learned, but it certainly brings front of mind the necessity for clients, perhaps especially aviation clients, to be bringing in multiple lines of business and allowing underwriters to present much more robust solutions that involve multiple lines of coverage,” he said.
