WestJet Breach May Have Leaked Data of Over 1M Customers
Canada-based WestJet Airlines may have suffered a breach that leaked the sensitive information of more than 1 million customers, a law firm investigating the incident said Thursday. Multiple states also recently reported the breach.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“Although the breach occurred in June 2025, WestJet did not begin notifying affected individuals until on or around September 29, 2025, which may have violated state and federal laws,” said a press release from Schubert Jonckheer, which is investigating the breach on behalf of the 1.2 million potential victims.
On a webpage disclosing the breach, the airline said it “identified suspicious activity on our WestJet systems” on June 13, and “immediately investigated and determined that these were the actions of a sophisticated, criminal third party, who gained unauthorized access to our systems.”
“Given the significant importance of data security to the integrity of our business, we are prepared for incidents of this nature and followed our response planning by taking immediate action to contain the incident and secure our systems,” the webpage added.
The data involved in the breach included contact details, information and documents provided in connection with reservation and travel, and data regarding relationships with the airline, said WestJet, citing a technical and forensic investigation that concluded Sept. 15. The airline said it determined that no credit or debit card information nor guest user passwords were obtained.
WestJet said it worked with the FBI and the Canadian Centre for Cyber Security to respond to the incident, but it didn't say when the law enforcement agencies were informed. “Containment is complete, and some additional system and data security measures have been implemented,” though “analysis is ongoing, and we will continue to take measures to further enhance our cybersecurity protocols,” the airline said.
On Sept. 29, the attorney general's offices in Vermont, South Carolina, New Hampshire and Iowa reported the breach. The Maine and California AG offices reported it Sept. 30.
A sample notification letter posted on some of the AG sites includes much of the same information as WestJet’s webpage about the incident. It also offers victims a free identity theft and monitoring solution for two years.