WestJet Confirms Customer Data Breach Exposing Sensitive Personal Information

Canadian airline WestJet said the data security incident it suffered earlier this year compromised the sensitive personal data of its customers.

 

One of the largest low-cost air carriers in Canada, WestJet operates scheduled, charter, and cargo air service, transporting more than 25 million passengers per year in over 100 destinations.

 

In a data security incident notice published on its website, WestJet said that on June 13, it identified suspicious activity within its internal network. The airline immediately launched an investigation and determined that these were the actions of a sophisticated, criminal third party, who gained unauthorised access to the company systems. 

 

“Given the significant importance of data security to the integrity of our business, we are prepared for incidents of this nature and follow our response planning by taking immediate action to contain the incident and secure our systems. As a result, at no point was the safety and integrity of our airline operations in question,” WestJet said.

 

The investigation revealed that confidential data was illegally exfiltrated from WestJet’s internal systems. The compromised data included names, dates of birth, email addresses, mailing addresses, phone numbers, and gender, and recent travel booking history, including booking numbers, may have been stolen. 

 

The breach also compromised information related to travel documents, including passports and other government-issued IDs used by passengers flying with WestJet.

 

“Given the criminal nature of this incident, we closely cooperated with law enforcement, the Canadian Centre for Cyber Security, and have notified the relevant authorities, including Transport Canada, the Office of the Privacy Commissioner of Canada and its provincial and international counterparts as appropriate,” the airline said.

 

WestJet has confirmed that credit and debit card numbers, as well as user passwords, were not compromised. It has, however, advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to relevant law enforcement authorities. 

 

“Containment is complete, and some additional system and data security measures have been implemented. However, analysis is ongoing, and we will continue to take measures to further enhance our cybersecurity protocols,” WestJet added.