WestJet has confirmed that a June cyberattack led to the theft of sensitive data belonging to about 1.2 million customers, including passport and government ID details. The airline disclosed the scope of the breach in a notice to customers and U.S. authorities after wrapping up its investigation on September 15, according to Bleeping Computer.
The attack was first made public on June 13, when WestJet reported system outages that took its app offline. While the airline did not initially say whether customer information had been accessed, the latest update confirms that hackers obtained personal data such as names, dates of birth, mailing addresses, travel documents, complaints, and WestJet Rewards account details.
In some cases, information linked to WestJet-branded RBC Mastercard accounts was also involved.
Importantly, the airline says no credit card numbers, CVV codes, expiration dates, or customer passwords were exposed. Customers who booked travel for others have been warned that those individuals’ data may also be at risk.
Bleeping Computer reported that attackers gained entry by tricking a WestJet employee into resetting their password, allowing access to the company’s Citrix systems and, eventually, its Microsoft cloud network. At the time of the breach, the hacking group Scattered Spider had been targeting aviation companies, though WestJet has not attributed the attack to any specific actor.
The company has notified affected customers and is offering two years of free identity theft protection and credit monitoring. In its letter, WestJet said, “We continue to work alongside our technical experts to determine the full extent of the incident… we have worked as quickly as possible to review the data we understand to be involved and to ascertain whether any of your personal information has been involved.”
WestJet says the FBI is assisting in the ongoing investigation. It’s time to change your passwords and also ensure you have two-factor set up on all your accounts, if you were affected by this hack. Using a password manager such as 1Password will let you easily create unique passwords for each site and set up 2-factor codes where available.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
They'll walk away with a slap on the wrist while average canadians carry the burden of potentially having their identity stolen.
Love how they downplayed the severity of this breach. Handing people 2 years of “free” non-stop high pressure lies from a fly-by-night credit monitoring group doesn’t fix the problem.