WestJet Data Breach 2025: Passport Info Exposed in Major Airline Cyberattack
Executive Summary
In June 2025, Canadian airline WestJet revealed a cybersecurity breach that resulted in the exposure of sensitive customer information, including names, dates of birth, mailing addresses, travel documents such as passports and government IDs, requested accommodations, complaints, and loyalty program data. The breach, disclosed after disruptions to internal systems and the company’s mobile app, was investigated over several months, with findings confirmed in mid-September. While no official attribution has been confirmed, the notorious Scattered Spider threat group was active in targeting the aviation industry at the time. The FBI is assisting with the investigation, and all affected customers have been notified.
This breach is of significant concern as it exemplifies the intensifying targeting of travel and aviation sectors by sophisticated threat actors using advanced social engineering and credential-harvesting techniques. The incident also underscores increasing regulatory scrutiny and customer awareness around identity-related attacks and privacy risks in critical infrastructure industries.
Why This Matters Now
Recent attacks like the WestJet breach highlight the continued vulnerability of the aviation sector to sophisticated cyber threats, especially from advanced groups like Scattered Spider. With sensitive identity and travel data compromised, the urgency of adopting robust data protection, zero trust controls, and regulatory compliance has never been greater.
Attack Path Analysis
Attackers likely gained initial access via a phishing attack or exploitation of a cloud service misconfiguration. Once inside, they elevated privileges to access sensitive data repositories. They laterally moved between internal systems to broaden access to travel documents and customer records. The attackers established command and control to maintain persistence and coordinate data theft. Sensitive personal and identity documents were exfiltrated from WestJet systems. The impact resulted in the exposure of customer data, with regulatory notifications and identity protection measures enforced.
Kill Chain Progression
Initial Compromise
Description
Attackers probably obtained access through phishing, exploiting a cloud misconfiguration, or abusing valid credentials to infiltrate the environment.
Related CVEs
CVE-2015-2291
CVSS 7.8A vulnerability in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or potentially execute arbitrary code via a crafted application.
Affected Products:
Intel Ethernet diagnostics driver for Windows – before 1.3.1.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Exploit Public-Facing Application
Application Layer Protocol
Data from Local System
Exfiltration Over Web Service
Exfiltration Over C2 Channel
Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Render PAN unreadable
Control ID: 3.4.1
NYDFS 23 NYCRR 500 – Access Privileges Management
Control ID: 500.07
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 10
CISA Zero Trust Maturity Model 2.0 – Strong Authentication & Least Privilege
Control ID: Identity Pillar: Access Management
NIS2 Directive – Cybersecurity Risk Management and Incident Reporting
Control ID: Art. 21
GDPR – Security of Processing
Control ID: Art. 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Airlines/Aviation
Direct sector exposure as WestJet breach compromised passenger passports, travel documents, and booking data, requiring enhanced encrypted traffic and egress security controls.
Leisure/Travel
High vulnerability due to extensive personal data collection including travel documents and accommodations, necessitating zero trust segmentation and multicloud visibility controls.
Financial Services
Critical risk from WestJet RBC Mastercard data exposure demonstrates need for threat detection, anomaly response, and policy enforcement across payment processing systems.
Hospitality
Significant exposure through guest accommodation data and booking systems, requiring kubernetes security and cloud firewall protections for customer information assets.
Sources
- WestJet confirms recent breach exposed customers' passportshttps://www.bleepingcomputer.com/news/security/westjet-confirms-recent-breach-exposed-customers-passports/Verified
- CISA and Partners Release Updated Advisory on Scattered Spider Grouphttps://www.cisa.gov/news-events/alerts/2025/07/29/cisa-and-partners-release-updated-advisory-scattered-spider-groupVerified
- WestJet Confirms Data Breach – Customers’ Personal Information Exposedhttps://cyberpress.org/westjet-confirms-data-breach/Verified
- Scattered Spider (Wikipedia)https://en.wikipedia.org/wiki/Scattered_SpiderVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, robust east-west traffic controls, encrypted data-in-transit, and egress enforcement capabilities could have significantly limited attacker movement, detected anomalies, and prevented large-scale exfiltration of sensitive PII and identity documents.
Control: Multicloud Visibility & Control
Mitigation: Enhanced visibility detects abnormal or unauthorized access attempts rapidly.
Control: Zero Trust Segmentation
Mitigation: Identity-based microsegmentation blocks privilege escalation to sensitive workloads.
Control: East-West Traffic Security
Mitigation: Lateral movement is detected and restricted across workload boundaries.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous command-and-control traffic is rapidly identified and contained.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data transfers are blocked or restricted to approved destinations.
Real-time inline controls minimize incident scope and accelerate response.
Impact at a Glance
Affected Business Functions
- Reservations
- Customer Service
- Loyalty Programs
Estimated downtime: 3 days
Estimated loss: $5,000,000
The breach exposed sensitive personal information of approximately 1.2 million customers, including names, dates of birth, mailing addresses, and travel document details such as passport numbers. Additionally, information related to WestJet Rewards accounts and co-branded credit card details were compromised. No credit card numbers, expiry dates, CVV numbers, or user passwords were affected.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation to enforce workload and identity-based least privilege across all cloud resources.
- • Deploy comprehensive east-west traffic monitoring and policy enforcement to prevent and detect lateral movement.
- • Enforce strong egress filtering and encrypted traffic inspection to prevent unauthorized data exfiltration and covert C2 channels.
- • Leverage centralized, multicloud visibility for rapid detection of anomalous behavior and unified incident response.
- • Integrate automated threat detection and response to baseline cloud traffic and alert on active exploitation or insider threats.
