Canada''s second-largest airline WestJet officially confirmed a large-scale data breach — with 1.2 million passenger personal information leaked through hacking attacks. 240 Maine, US residents were among victims, with WestJet submitting a report to authorities per state law. WestJet discovered the system breach from a hacking attack on June 13, officially confirmed the leak on September 15, and notified customers on September 29.
Leaked information includes names, birth dates, addresses, passports and government-issued identification — sensitive identification verification materials. Passenger convenience requests, complaint records, and customer rewards program information (point balances, etc.) were also exposed. Reports link the attack to hacking group Scattered Spider — primarily English-speaking hackers in their late teens to early 20s using "social engineering" — calling corporate IT helpdesks to trick employees and take over network access credentials. The FBI and cybersecurity firms had warned since early in the year this group was intensively attacking the aviation and transportation industry; Australia''s Qantas reportedly also had 6M+ customer records leaked by this group.
WestJet will provide 24 months of free identity theft protection services to affected customers through TransUnion''s CyberScout (including personal information change monitoring, identity theft damage support, and insurance up to $1M). However, passenger anxiety will not easily subside — passport and identification information exposure through aviation tickets and travel processes greatly increases potential criminal misuse risk, including international criminal organizations potentially using it for identity forgery or illegal entry.
The case shows the aviation industry''s special nature and security vulnerabilities: airlines must store sensitive data like passports, payment information, and travel schedules at scale, but IT infrastructure is vast and complex making security management difficult. Social engineering-based attacks depend on tricking people rather than technical defenses — making employee inability to distinguish attacker calls render even advanced firewalls useless. The WestJet case is becoming a warning alarm demanding cybersecurity framework reform across the aviation industry. As AI and automation spread and airlines become more dependent on digital systems, attackers gain more opportunities.
