WestJet, the second-largest airline in Canada, has revealed that an extensive cyberattack earlier this year compromised the personal details of around 1.2 million passengers.
The airline disclosed this information in an official report to the Attorney General of Maine, confirming that 240 residents of the state were among those affected.
The breach reportedly exposed sensitive passenger information, including names, dates of birth, postal addresses, and travel documents such as passports and government-issued ID cards.
Additional data related to passenger preferences and complaints was also accessed. Furthermore, details connected to WestJet’s customer loyalty programme, including points balances and reward account information, may have been stolen.
WestJet first became aware of the unauthorised access to its computer systems in June and launched an investigation to determine the full extent of the breach and secure its network. When approached by TechCrunch for comment, WestJet spokesperson Jennifer Booth did not respond.
Cybersecurity experts and media reports have attributed the breach to a hacking group known as Scattered Spider. This group, composed mostly of English-speaking teenagers and young adults, is financially motivated and known for manipulating IT support desks through social engineering, tricking employees into granting network access.
Earlier this year, the FBI and cybersecurity firms issued warnings about an increase in attacks targeting the transport and aviation sectors, specifically naming groups like Scattered Spider. The same collective is believed to have been behind a cyberattack on Australian airline Qantas, which resulted in the theft of personal details from over six million customers.