WestJet, the second-largest airline in Canada, said 1.2 million people had information stolen during a cyberattack this summer that caused intermittent interruptions and errors on its website. 

WestJet was one of several airlines attacked in June, allegedly by actors connected to the Scattered Spider cybercriminal organization. WestJet systems were largely restored after five days.

But in notices this week on its website and in breach notices filed with U.S. regulators, the airline confirmed that the hackers stole troves of sensitive information that included basic data like names and addresses as well as travel documents like passports and government IDs.

Other information associated with travel like accommodations or complaints was also leaked as a result of the incident. 

For those who were part of the company’s rewards programs, information about their accounts, points and other data was also stolen. Passwords to accounts were not accessed, the airline said. 

No credit card numbers, expiration dates and CVV numbers were exposed, but anyone with WestJet credit cards issued through outside banks had basic account information involved in the breach, the company said. 

WestJet also warned victims that any family members who flew under the same booking number should be warned about the incident because their information may also have been leaked. 

The company said it is still working with experts to determine the full extent of the incident. WestJet reiterated that the airline’s operations were never at risk and its systems are now fully secure. 

According to the breach notification letters, WestJet first discovered suspicious activity on its systems  on June 13. An investigation completed on September 15 found that a “sophisticated, criminal third party” had gained access. 

The FBI, the Canadian Centre for Cyber Security and the Office of the Privacy Commissioner of Canada are investigating, WestJet said.

Victims are being given two years of identity monitoring services. 

At the time of the attack on WestJet, multiple airlines came forward to warn people of cyber incidents affecting their operations. Hawaiian Airlines and Qantas both reported attacks, while incident responders from Google warned of a wider campaign on the airline industry by the Scattered Spider group. 

Qantas said the data of 5.7 million people was exposed and last month the company penalized senior company executives for the breach. 

It is still unclear what Scattered Spider is doing with the stolen data, but the group resurfaced on Tuesday, warning that it planned to create a data leak site for extorting victims. 

Several members of the group are now in prison or facing charges over cyberattacks on large companies. 

A Justice Department complaint unsealed last week revealed that Scattered Spider was able to extort at least $115 million from dozens of victims over the last three years and also breached a U.S. federal court network.