Canada’s WestJet, the country’s second-largest airline, has confirmed that the personal data of 1.2 million passengers was stolen in a cyberattack and data breach earlier this year.
The disclosure came in a filing with Maine’s attorney general, which also confirmed that 240 state residents were directly affected. According to the notice, the stolen data may include names, dates of birth, postal addresses, travel documents such as passports and government-issued IDs, along with customer requests and complaints.
WestJet also warned that customer rewards information may have been compromised, including account details and points balances.
The airline first revealed the security incident in June after discovering its systems had been breached and sensitive passenger data had been exfiltrated. However, details of the scale only surfaced in the new regulatory filing.
While WestJet spokesperson Jennifer Booth declined to comment further, media reports have linked the breach to Scattered Spider, a hacking group composed largely of English-speaking young adults and teenagers. The financially motivated group is known for targeting IT help desks with social engineering tactics to gain unauthorized access to corporate systems.
Related: Cyberattack Disrupts Check-Ins, Delays Hundreds of Flights at Heathrow and Other Airports
Earlier this year, the FBI and cybersecurity firms warned that Scattered Spider was targeting the transportation and aviation sector. Australian carrier Qantas was also allegedly attacked by the group, which resulted in the theft of more than 6 million customers’ personal records.
