This story was updated with new information on the number of customers impacted.

Canadian airline WestJet is informing customers that the cyberattack disclosed in June compromised the personal information of 1.2 million customers, including passports and ID documents.

WestJet is a major airline in North America, operating a fleet of 153 aircraft and serving 104 destinations, which carry over 25 million travelers annually.

On June 13, the company disclosed a cybersecurity incident that disrupted internal systems and made the WestJet app unavailable to customers.

Around that time, threat actors associated with Scattered Spider were focusing their attacks on organizations in the aviation industry. However, there is no official attribution for the hackers behind the WestJet breach.

Soon after the attack, BleepingComputer learned that the threat actors breached WestJet by using social engineering to reset an employee's password and gain access to the network through Citrix.

This allowed the attackers to compromise the Windows networks and the company's Microsoft cloud network.

The WestJet data breach

In the days following the disclosure, WestJet published multiple updates, assuring customers that all appropriate measures to protect their data were being implemented. However, the communications did not specify whether the hackers had managed to access any sensitive information.

In a data breach notification sent to customers and shared with authorities in the U.S., the company has confirmed the impact after completing an investigation on September 15.

WestJet also confirmed to the Maine Attorney General's Office that the breach allowed the attackers to steal the data for approximately 1.2 million customers.

According to the findings, the following data types have been exposed to the attackers, varying per individual: 

• Full name
• Date of birth
• Mailing address
• Travel documents, such as a passport or government ID
• Requested accommodations
• Filed complaints
• WestJet Rewards Member ID, points, and other information
• WestJet RBC Mastercard, WestJet RBC World Elite Mastercard, or WestJet RBC World Elite Mastercard information.

WestJet specified that no credit card or debit card numbers, expiry dates, CVV numbers, or user passwords were compromised.

The airline noted that recipients of the notification should inform other individuals who may have flown under the same booking number as them, as their information might have been exposed too.

WestJet states that it is still determining the full scope of the incident, so this initial notice is being circulated to those confirmed to be impacted. However, it may not represent the complete impact of the compromise.

"We continue to work alongside our technical experts to determine the full extent of the incident," reads the letter.

"While investigations of this nature are complicated and take time to complete, we have worked as quickly as possible to review the data we understand to be involved and to ascertain whether any of your personal information has been involved."

The company also stated that the FBI is involved in the investigations and that it has taken all the appropriate measures to prevent similar incidents from occurring in the future.

The notices also enclose instructions on how to enroll in a free 2-year identity theft protection and monitoring service, redeemable by November 30.