WestJet says customers’ passport info affected in recent cyberattack
WestJet has revealed more details about a recent cyberattack that impacted some Canadian customers.
In a notice on Tuesday, the airline confirmed that “certain data was illegally obtained” from its system as a result of a cyberattack on June 13.
WestJet says no credit card or debit card numbers and no guest user passwords were stolen. However, some personal and travel-related data — which the carrier says varies from person to person — was stolen.
On Friday, the carrier sent emails to its loyalty members sharing more information about the specific data that was affected.
WestJet says the following data may have been impacted:
- Name
- Date of birth
- Email address
- Mailing address
- Phone number
- Gender
- Recent travel booking history, including travel booking number
- Personal information on your passport or other government-issued identification documents
- Other information regarding your travel needs, like accommodations requested or complaints filed
“It is possible that this information could be used for identity theft or fraud (including in the context of any booked travel),” reads the email.
Pavel Kapysh/Shutterstock
The notice adds that information linked to WestJet Rewards memberships may have also been affected. This could include WestJet Rewards ID numbers and points balance on the date of the incident, as well as other data linked to the use of the account.
“Importantly, your password to access Rewards accounts was not affected. WestJet has no reason to believe that your points may be at risk,” reads the email.
According to the carrier, WestJet RBC Mastercard, WestJet RBC World Elite Mastercard, or WestJet RBC World Elite Mastercard for Business cardholders’ additional information linked to their rewards account may have also been involved.
“This may include a credit card identifier type (e.g. “World Elite”), and information about changes to your WestJet points balance,” reads the email. “Your credit card number, expiration date and CVV are not affected.”
What should affected WestJet customers do?
Pascal Huot/Shutterstock
“In line with regulatory requirements, WestJet has identified those individuals who we will contact in the coming days to provide information and support regarding this incident,” reads the notice.
The carrier says impacted individuals can expect to be contacted by Cyberscout as part of its response effort.
The airline is also offering identity theft and monitoring services free of charge for 24 months.
“These services provide you with credit alerts for any changes to your information for 24 months from the date of enrollment,” reads its email to loyalty members on Friday. “These services also provide you with access to Identity Restoration agents who are available to assist you with questions about identity theft.”
The company says the service includes up to $1 million of expense reimbursement insurance. Impacted customers should have received an email with a personal activation code and detailed instructions on how to enroll in these services.
On June 13, the airline identified suspicious activity on its systems. An investigation found that a “sophisticated, criminal third party” carried out the cyberattack.
“Given the significant importance of data security to the integrity of our business, we are prepared for incidents of this nature and followed our response planning by taking immediate action to contain the incident and secure our systems,” stated WestJet. “As a result, at no point was the safety and integrity of our airline operations in question.”
The carrier says it has closely cooperated with law enforcement, the Canadian Centre for Cyber Security. It has also notified Transport Canada, the Office of the Privacy Commissioner of Canada and its provincial and international counterparts.
This article was originally published on Aug. 12, 2025, and has been updated.