WestJet Guest Update – Cybersecurity incident

On June 13, 2025, WestJet identified suspicious activity on its systems. We immediately investigated and determined that these were the actions of a sophisticated criminal third party who gained unauthorized access to our systems. 

At no point was the safety and integrity of our airline operations in question.

WestJet engaged internal and external experts to perform a technical and forensic investigation to identify the nature and scope of the event. The incident has been successfully contained and additional system and data security measures have been implemented to enhance our existing security program. We take this situation very seriously. Privacy and information security are top priorities and strict measures are in place to protect the information in our care. 

WestJet is also offering identity theft protection services to relevant individuals where appropriate and where these services are available. For more information, please see “Am I affected” below.

No credit card or debit card numbers, expiry dates or CVV numbers, and no guest user passwords were obtained. What was obtained varies from person to person and includes information derived from some travel bookings and some limited employee information. 

For most individuals, the type of personal information involved was not sensitive. However, for certain individuals the data may include information such as name, contact details, information and documents provided in connection with their reservation and travel, and data regarding their relationship with WestJet. While it is possible that some of this information could be used for identity theft or fraud (including in the context of any booked travel), WestJet is not aware of any misuse of the relevant data for such purposes. 

If you received an email or letter notice about this incident directly from WestJet, that notice sets out the types of personal information about you that may have been involved in this incident and provides information on how to access identity theft protection services.

If you were not contacted by WestJet directly and would like to know whether your data was involved, please contact us using the information below. 

Unfortunately, our investigation into the incident confirmed that certain data was illegally obtained. In accordance with regulatory requirements, WestJet is contacting individuals where appropriate and where we are able to. In addition, we are making additional resources and information available on our website. 

WestJet has also reported this incident to law enforcement and relevant data protection authorities.

WestJet is also offering identity theft protection services to relevant individuals where appropriate and where these services are available.

If you received an email or letter notice about this incident directly from WestJet, that notice sets out the types of personal information about you that may have been involved in this incident and provides information on how to access identity theft protection services.

If you were not contacted by WestJet directly and would like to know whether your data was involved, please contact us using the information below:

If you reside in Canada or the United States and would like to know whether your data was involved, please contact WestJet at 1-888-937-8538 or email wjresponseteam@westjet.com stating your country of residence in the subject line so that we may properly allocate your request

If you reside outside Canada or the United States and would like to know whether your data was involved please find our list of international phone numbers here or email wjresponseteam@westjet.com stating your country of residence in the subject line so that we may properly allocate your request.

In accordance with regulatory requirements, WestJet’s Cyber Response team is contacting individuals where appropriate and where we are able to through our trusted partner, Cyberscout, a division of TransUnion. Cyberscout has been authorized by WestJet to contact individuals as part of our official response effort.

We hold your details as part of providing our services – including booking a flight, managing your travel, and keeping you informed about your journey. 

We only collect the personal information necessary to deliver these services and in accordance with our data protection obligations. 

We also manage information related to our employees, which we are required to store to meet certain legal obligations and for operational purposes.

Containment is complete and some additional system and data security measures have been implemented. If you have upcoming travel, you can check your flight details through the website or our Mobile App as normal. As a general practice, we encourage you to remain vigilant and monitor for any unexpected changes to your upcoming bookings.

We have no indication that WestJet points or point systems are at risk as a result of this incident. All WestJet Rewards account functionality is available to members, crediting of points is up to date, and members can continue to use the program as normal. It is important to note, passwords to access WestJet Rewards accounts were not affected.

If you do receive any suspicious emails, text messages or calls from someone purporting to be from WestJet please visit our Scams and fraudulent schemes page on our website or contact local authorities.

As a general recommendation, and not in connection with this incident, we would encourage you to follow best practice from a security perspective, including the below steps:

• Check your flight information ahead of any upcoming trips
• Continue to be alert to the risk of phishing and fraudulent emails asking you to enter login credentials, provide financial information or give up any other personal data.
• Check your bank statement regularly for any unusual activity that you do not recognize.
• Check your credit file regularly for newly opened accounts or credit searches that you do not recognize.
• Use strong passwords and change them regularly. Use passwords that are at least eight characters long and use numbers, upper case, lower case and symbols.
• Never give out personal details over the phone unless you are sure who you are speaking to.

Please note we would never contact you by email to ask you to provide us with any payment card information.

Additional resources about protecting yourself from scams and fraud are available from the Canadian Anti-Fraud Centre.

Yes, containment is complete and additional system and data security measures have been implemented. 

WestJet understands the desire for this information. Please be assured that we notified law enforcement and are providing our full support.

WestJet takes IT security very seriously. Strong protections and measures are in place to protect infrastructure and data. WestJet invests in cybersecurity capabilities as a key priority to improve and enhance cyber resiliency. In the wake of the incident, measures to further enhance our cyber-security protocols are ongoing.

Yes. WestJet is working with law enforcement, including the US Federal Bureau of Investigation and the Canadian Centre for Cyber Security, and have notified the relevant authorities, including Transport Canada, the Office of the Privacy Commissioner of Canada and its provincial and international counterparts as appropriate.

WestJet has no indication that WestJet points or point systems are at risk as a result of this incident. All WestJet Rewards account functionality is available to members, crediting of points is up to date, and members can continue to use the program as normal. It is important to note, passwords to access WestJet Rewards accounts were not affected. 

WestJet would never contact you by email to ask you to provide us with any payment information. 

Additional resources for protecting yourself from scams and fraud are available from the Canadian Anti-Fraud Centre.

We take our IT security very seriously and that is reflected in the way we have responded to this incident. We already had strong protections and measures in place to protect our infrastructure and data. We invest in cybersecurity capabilities as a key priority to improve and enhance our cyber resiliency. Our professional information security team works tirelessly to protect our information systems and your data. In the wake of the incident, we have worked closely with our specialist IT advisors to further bolster our security measures.

Cyber security is an issue we take very seriously at WestJet.  While cyber incidents are not completely avoidable, even with the most stringent protections in place, WestJet’s IT defences have always been strong, and we have bolstered our defences to further enhance our system’s security and overall IT infrastructure.