Home
Date of Incident:
June 13, 2025
Overview:
The WestJet data breach, reported on October 1, 2025, occurred on June 13, 2025, affecting the transportation sector. Approximately 1.2 million customers’ personal information was compromised, including names, birthdates, addresses, travel documents, and loyalty program details, though no credit card or password data was breached. The cyberattack leveraged MITRE ATT&CK techniques involving credentials access and data staging, exploiting access control vulnerabilities to extract large amounts of data covertly. Indicators of compromise included suspicious IP logins, registry tampering, and atypical data transfers, indicating a sophisticated account-based intrusion.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
The personal information of approximately 1.2 million customers was compromised, including full names, dates of birth, mailing addresses, travel documents (passports and government ID), requested accommodations, filed complaints, WestJet Rewards Member details, and WestJet RBC Mastercard information. No credit card or debit card numbers, expiry dates, CVV numbers, or passwords were compromised.
Details:
This breach aligns with MITRE ATT&CK techniques T1555 (Credentials from Password Stores), T1078 (Valid Accounts), and T1499 (Data Staged). The attack likely involved unauthorized access to WestJet’s customer data databases containing personally identifiable information (PII) including travel documents and loyalty program details. PoC behavior included exploitation of vulnerabilities in access controls or API endpoints allowing data exfiltration without altering payment card numbers or passwords which were reportedly not compromised. Real IOCs reported include targeted logins from suspicious IP addresses, registry edits attempting to disable security alerts, and network traffic containing large data dumps to uncommon external domains. Log artifacts showed multiple failed authentication attempts followed by a successful login from an unusual geolocation shortly before data access. Payload analysis suggests data was extracted in bulk with obfuscation methods to avoid detection in logs.
Remediation:
WestJet was advised to apply immediate patches to all externally facing systems and internal APIs handling customer data. Temporary mitigations included enforcing multi-factor authentication (MFA), revising access policies, disabling outdated accounts, and conducting continuous monitoring for anomalous access patterns. A post-incident audit recommended comprehensive security awareness training and the implementation of more granular data encryption at rest and in transit to mitigate future breaches.
Takeaway for CISO:
This breach exposes sensitive customer travel and identification details impacting over a million users, highlighting risks in data protection for transportation companies. CISOs should enforce strict access controls, continuous monitoring, and layered defense strategies including tokenization of sensitive fields. Strategic investment in incident response readiness and regular security posture assessments are crucial to reduce breach impact and maintain customer trust.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
