Canada's second-largest airline WestJet just disclosed that 1.2 million passengers had their personal data stolen in a cyberattack earlier this year. The breach, linked to the notorious Scattered Spider hacking group, exposed everything from passport numbers to reward points balances, marking another massive win for the teenage hackers terrorizing the aviation industry.
WestJet finally put numbers to what's shaping up as one of the year's most significant airline breaches. The Canadian carrier confirmed that 1.2 million passengers had their personal information stolen in a cyberattack that first came to light in June, according to a Maine attorney general filing that revealed 240 state residents were among the affected.
The scope of compromised data reads like a hacker's wishlist. Beyond standard passenger information like names and birth dates, the breach exposed passport numbers, government-issued ID documents, and detailed travel records including customer complaints and accommodation requests. Even more concerning - hackers accessed WestJet's entire rewards program database, stealing points balances and account details that could enable account takeovers.
Security researchers have tied the breach to Scattered Spider, the English-speaking hacking collective that's been methodically dismantling aviation cybersecurity this year. These aren't your typical basement dwellers - they're sophisticated social engineers who call IT help desks directly, convincing employees to hand over network access through pure psychological manipulation.
The timing couldn't be worse for an industry already reeling from cyber threats. Just months after WestJet's incident, Australian carrier Qantas fell victim to what investigators believe was the same Scattered Spider operation, exposing over 6 million passenger records. The FBI issued specific warnings about aviation sector targeting, but clearly those alerts came too late.
WestJet's radio silence speaks volumes about the breach's severity. Company spokesperson Jennifer Booth declined to answer TechCrunch's direct questions about the incident, a response that typically signals either ongoing law enforcement involvement or legal liability concerns. The airline first disclosed the "security incident" in June but waited months to reveal the full passenger impact.
What makes Scattered Spider particularly dangerous isn't just their technical skills - it's their ability to bypass traditional cybersecurity measures entirely. While most companies invest heavily in firewalls and intrusion detection, these hackers simply pick up the phone and convince help desk workers they're legitimate employees who've forgotten their passwords. It's devastatingly effective against human psychology.
