Canadian airline WestJet has confirmed that a massive data breach in June 2025 exposed the personal information of roughly 1.2 million people. The company says it has now completed its investigation and is notifying affected individuals.
The cyberattack, which took place on June 13, disrupted access to WestJet’s website and mobile app. Following weeks of analysis, the airline admitted that hackers stole sensitive information belonging to customers, loyalty program members, and some credit card holders.
According to a filing with the Maine Attorney General’s Office, the exposed data includes names, addresses, dates of birth, government-issued ID details, and information tied to travel requests such as accommodation preferences and complaints.
For WestJet Rewards members, additional details may have been compromised, including account ID numbers, point balances, and other membership information. Customers with WestJet RBC Mastercard products, including the RBC World Elite Mastercard, were also affected. While full credit card numbers and CVVs were not taken, records show that credit card identifier types and loyalty point changes may have been accessed.
The airline has advised travelers to inform family members or others linked to their booking in case their information was also impacted.
To help protect those affected, WestJet is offering two years of free identity monitoring, fraud protection, and identity theft assistance services. The package also includes up to $1 million in expense reimbursement insurance.
WestJet emphasized that no credit card or debit card numbers, CVVs, or user passwords were compromised and that its systems are now secure. However, the company has not revealed the exact nature of the attack, and no ransomware group has publicly claimed responsibility.
The incident adds to a growing list of airline data breaches worldwide, highlighting the aviation sector’s vulnerability to increasingly sophisticated cyberattacks.
