Language selection

Search

Compliance Letter to the Office of the Privacy Commissioner of Canada (“OPC”) By WestJet, an Alberta Partnership (“WestJet”)

General Terms

  1. The Privacy Commissioner of Canada (“the Commissioner”) oversees compliance with the Personal Information Protection and Electronic Documents Act (“PIPEDA” or “the Act”), which governs the collection, use and disclosure of personal information by private-sector organizations in the course of commercial activities.
  2. On August 5, 2025, pursuant to s. 11(2) of PIPEDA, the Commissioner launched a Commissioner-initiated investigation (“CII”, file PIPEDA-051877) into a privacy breach of WestJet’s systems that occurred on or around June 12, 2025 (“the breach”), specifically with respect to the adequacy of the security safeguards that WestJet had in place at the time of the breach, as well as the adequacy of its notifications to affected individuals.
  3. WestJet has agreed to fulfil the commitments set out in this Compliance Letter (this “letter”) at the request of the Commissioner. In this letter, WestJet confirms actions that it has already taken to further safeguard personal information since the breach and commits to provide additional information and to perform certain additional tasks in relation to the breach.
  4. Upon the Commissioner being satisfied that WestJet has fulfilled all of the commitments set out in this letter, the CII will be discontinued in accordance with paragraph 12.2(1)(c) of PIPEDA, on the basis that WestJet will have provided a fair and reasonable response to the complaint. The Commissioner retains the discretion to continue the CII or may expand the scope of the CII, pursuant to s. 11(2) of PIPEDA, should he deem that WestJet has not fulfilled the commitments set out in this letter or if new privacy concerns are brought to his attention in relation to this matter. If the CII has been discontinued and new privacy concerns are brought to the Commissioner’s attention, he may commence a new Commissioner-initiated investigation pursuant to s. 11(2) of PIPEDA.
  5. The Commissioner may request information and documents from WestJet for the purpose of verifying that the organization is fulfilling the commitments it has made in this letter.
  6. The Commissioner may seek further commitments from WestJet following review of any additional information that he receives on the matter.
  7. This letter, or part thereof, may be disclosed or made public by the Commissioner under s. 20 of PIPEDA.
  8. For greater certainty, nothing in this letter shall prevent or otherwise limit the Commissioner from exercising or performing any of his powers and duties under the Act.
  9. This letter is not intended as, or to be construed as, an admission of liability or wrongdoing by WestJet, or as a finding or reporting of finding by the Commissioner pursuant to s. 13 of PIPEDA that WestJet was or is in contravention of PIPEDA.

Incident Overview

The facts of the breach, as they are known on the date of signature of this letter and as confirmed by WestJet, are as follows:

  • On June 12, 2025, WestJet experienced a cybersecurity incident in which an unauthorized third party (“threat actor”) used social engineering tactics to gain access to the user account of an employee with administrative privileges. The threat actor posed as the employee, using the employee’s personal information. This allowed the threat actor to bypass multi-factor authentication (“MFA”) security measures and access personal information stored on WestJet’s network. The threat actor moved laterally through WestJet’s systems to deploy ransomware, gain control of its virtual servers, and access and exfiltrate data from WestJet’s cloud storage.
  • WestJet discovered the breach on the day of the attack. The organization promptly took measures to contain the breach and issued a public advisory on its website on June 13, 2025Footnote 1. WestJet updated the public advisory in the following days as more information was available.
  • On June 14, 2025, WestJet reported the breach to the OPC.
  • The breach impacted the personal information of approximately 5,164,000 Canadian WestJet employees and customers. The types of personal information affected by the incident varied from person to person, depending on their interactions with WestJet, and may have included names, dates of birth, email addresses, mailing addresses, phone numbers, gender, information pertaining to recent travel bookings, and travel information such as passport information and/or other government issued identifiers.
  • WestJet has confirmed that no credit or debit card numbers, expiry dates, CVV numbers, guest passwords, or Social Insurance Numbers were obtained via the breach.
  • On July 23, 2025, WestJet began sending direct notifications to all affected employees.
  • On August 7, 2025, WestJet began sending direct notifications to other affected individuals.
  • WestJet also provided indirect notification about this breach through a banner on the top of its website, several posts on its Newsroom, and a new dedicated webpageFootnote 2.
  • WestJet ensured that individuals who were impacted by the incident could receive additional information about the incident. WestJet established a dedicated call centre via a third party, provided a detailed FAQ webpage, and remained available to answer questions from affected individuals via its customer support call centre.
  • WestJet offered a 24-month subscription to credit monitoring and identity theft protection services. The organization developed a look-up tool for internal use to ensure that affected individuals who were notified indirectly about the breach could access the same credit monitoring resources as individuals notified directly.
  • Where affected individuals were minors, WestJet informed parents and guardians about measures that they could take to add the minor’s Social Insurance Number to a High-Risk Fraud Alert database, since minors are not eligible for the credit monitoring servicesFootnote 3.

WestJet explained, in its initial reporting to the OPC and in subsequent representations, that it took several steps to remediate the breach, including the followingFootnote 4:

  • Identity and access protection: Strengthened identity and access controls, comprehensive credential resets, reinforced MFA requirements, enhanced identity verification, and tightened protections for remote and privileged access. In particular, WestJet:
    • Implemented mandatory MFA for WestJet Rewards accounts (external guest accounts), and strengthened MFA requirements on its employee and contractor accounts, including stricter requirements on privileged accounts, where the company has transitioned away from less secure MFA methods towards more secure MFA methods, such as authentication apps and hardware-based keys;
    • Reviewed its system access privileges and processes to reinforce security best practices and operational needs, including through the implementation of “least-privilege” and role-based access controls; and
    • Updated its risk-based access controls to ensure that both identity verification and access permission decisions are informed by contextual user behaviour and security risk signals and has implemented a verified process requiring live video or in-person recognition for the vast majority of employee credential and MFA resets subject to very limited operational exceptions.
  • Infrastructure and network hardening (i.e., application of security enhancements): Took additional steps to harden critical systems and infrastructure, including directory services, networks, and employee devices, and strengthened protections for sensitive platforms and business applications.
  • Threat detection and response: Expanded advanced detection and response capabilities, enhanced 24/7 security operations, specialized threat-hunting support to improve rapid identification, investigation and containment of potential threats. Monitoring and detection tools now use behaviour analytics to detect anomalous user activity, as well as additional logging and alert triggers to increase oversight over potential unauthorized activity, supported by a structured escalation process and expanded logging to increase visibility across the network. WestJet also conducts regular penetration testing to measure the efficacy of its controls.
  • Governance, communication, and awareness: Enhanced organization-wide communications, guidance, and stakeholder engagement to reinforce security awareness and clarify expectations. This included updating its internal privacy and cybersecurity training and awareness program to increase the focus on role-based security training tailored to technical access levels and risk profiles. The training includes password strength reminders, cyber-safety tips for employees with privileged access, how to spot and respond to phishing and social engineering attacks, and how to report cybersecurity and privacy issues.

Commitments

As part of this Compliance Letter, WestJet voluntarily commits to the additional actions set out below with a view to ensuring the adequacy of its updated security safeguards, continuing to address risks associated with the breach, and preventing future breaches in accordance with its obligations under PIPEDA.

External Security Assessment

    1. By August 7, 2026, at the request of the Commissioner, WestJet will provide the Commissioner with a confidential summary report of a security assessment to be conducted by a reputable and independent external security assessment firmFootnote 5, and at the Commissioner’s request, a confidential technical briefing to address any questions or clarifications. In providing this confidential summary report, WestJet does not waive any privilege over the assessment. This summary report will outline the firm’s assessment of WestJet’s information security safeguards, including those that have been updated following the breach occurrence, and will include at a minimum:
      1. a description of the safeguard enhancements;
      2. an assessment of the effectiveness of WestJet’s current safeguards to protect personal information and to prevent, detect, and respond to the threats and risks that gave rise to the breach;
      3. the identification of any remaining gaps in assessed security safeguards; and
      4. recommended solutions and timelines to address those gaps.
    2. By September 7, 2026, for any recommendations that may be included in the confidential summary report referenced in part (1), WestJet will inform the Commissioner on a confidential basis of the following (and in doing so does not waive privilege over the assessment):
      1. whether it has accepted each of the recommendations;
      2. for each recommendation that the organization has not accepted, the reasons why, and the alternative measures that it proposes to implement (along with timelines) to address the identified risk(s); and
      3. for each recommendation that the organization has accepted,
        1. whether the recommendation has been fully implemented;
        2. actions already taken by WestJet to implement the recommendation; and
        3. for those recommendations that are not yet fully implemented, an implementation plan, setting out the actions that WestJet will take to implement the recommendations and dates by which these actions will be completed.

The recommendations (or the fact that no recommendations have been made, if that is the case) and the implementation of measures to address them will be subject to review by the Commissioner for his determination of whether the measures adequately address PIPEDA requirements and constitute a fair and reasonable response to the CII.

Signature

Upon signing this letter, WestJet commits to the terms set out therein.

SIGNED at the City of Victoria in the Province of BRITISH COLUMBIA, this 8th day of July 2026.

Date modified: