Canada’s privacy commissioner has launched an inquiry into a cyberattack against WestJet, during which a “malicious actor” was able to access the airline’s systems.
The airline announced in a statement last month that a “sophisticated, criminal” third party managed to access certain personal and travel-related information during a June cybersecurity breach. WestJet said it had identified all individuals impacted by the breach and would contact them.
The airline said the safety of its airline operations was never threatened but noted that some personal and travel-related data was accessed.
“Given the significant importance of data security to the integrity of our business, we are prepared for incidents of this nature and followed our response planning by taking immediate action to contain the incident and secure our systems,” the company said in a July 18 press release.
“Thanks to our internal precautionary measures, no credit card or debit card numbers and no guest user passwords were obtained.”
The airline noted that the amount of customer information accessed by the hackers “varies from person to person.”
A statement from the office of Privacy Commissioner of Canada Philippe Dufresne said the investigation will scrutinize the security protocols that WestJet had in place at the time of the breach.
It said it would also evaluate the adequacy of WestJet’s notifications to the impacted individuals to determine if the airline’s response was in compliance with privacy laws.
“The Office of the Privacy Commissioner of Canada (OPC) is actively engaging with the organization to ensure that it is taking appropriate steps to respond to the incident, and the immediate focus is on ensuring that the company is effectively addressing the breach and protecting the personal information of its customers,” the agency said in an Aug. 5 press release. “This includes breach containment, notification of those affected and measures to reduce risks.”
The OPC said it cannot provide any further details because the matter involves an active investigation.
West Jet said it first discovered the security breach on June 13 and quickly contacted law enforcement thereafter. The airline said it “closely cooperated” with the authorities and the Canadian Centre for Cyber Security on the matter.
“Containment is complete, and some additional system and data security measures have been implemented,” the airline said in the July 18 press release. “However, analysis is ongoing, and we will continue to take measures to further enhance our cybersecurity protocols.”
