WestJet Airlines, the second-largest Canadian carrier, is dealing with a cybersecurity incident that shines a bright light on an ongoing threat facing any business that collects large volumes of customer data. No flight operations were impacted, but the breach affected access to the airline’s internal systems and mobile application, says it will conduct an immediate investigation.
The cyber-attack, which First appeared on Friday, June 13, 2025, resulted in limitations on use of the WestJet app and book-correcting website for some users. Despite its restoration, these functions have not been fully restored and our internal teams, including IT and security, are working closely with leading third-party security experts to investigate the nature and scope of the incident. WestJet has not confirmed if personal data was affected or the nature of the attack that it succumbed to.
This situation is an important reminder for any organization on the critical value associated with sound data protection plans. Here are some key takeaways:
Offense is the best Defense: Cyber-attacks are becoming more complex and advanced and as such, the offensive model of proactive and layered security is critical. Frequent vulnerability scans, penetration testing, and continuous monitoring are critical so that vulnerabilities can be discovered and pounced on before adversaries can abuse them.
Swift Incident Response: WestJet’s immediate response to involve specific internal teams and to work with law enforcement illustrate the need for a sound incident response plan. Speedy identification, isolation, and messaging are all key to minimizing the damage and preserving trust.
Employee And Guest Awareness: WestJet has recommended that Microtel employees and guests be vigilant when sharing personal information, as there may be risks of fraud such as identity theft and phishing attacks. And this underscores the human factor in cybersecurity and the continual training of everyone involved.
Transparency and Communication: Though the dust has yet to settle, WestJet’s promises to offer regular updates on their website and social media networks demonstrate the importance of staying as transparent as possible in a cyber crisis. Honesty eases expectations and restores trust.
Resilience in Critical Infrastructure: As other Canadian critical infrastructure operators, including energy firms, can attest from recent events, with today’s systems, if one portion is compromised, the effects can be far-reaching. As we saw, for example, with the recent WannaCry and NotPetya attacks, investment in cyber resilience is no longer discretionary, it is a necessity.
The WestJet case is under current investigation, but it is already providing important lessons for how organizations must evolve and keep evolving data protection within an evermore hostile digital landscape.
