What happened in the June 2025 WestJet cyber attack and how did it impact their systems?
In June 2025, Canadian airline WestJet experienced a cyber attack that caused disruptions to its website and mobile app. While flight operations remained unaffected, internal systems were compromised. The threat group Scattered Spider is suspected of carrying out the attack using social engineering techniques to bypass security protections. This blog explores the full incident, the methods used, the group behind it, and preventive measures organizations can adopt. A table also summarizes the key facts for easier understanding.
Table of Contents
- What Happened in the WestJet Cyber Attack?
- Who Is Behind the Attack?
- Breakdown of the WestJet Cyber Attack
- How Did the Attack Happen?
- Why the Airline Industry Is a Target
- Lessons Learned from the WestJet Incident
- Conclusion
- Frequently Asked Questions (FAQs)
In June 2025, WestJet Airlines, one of Canada's largest air carriers, became the latest target in a series of airline industry cyberattacks. The company reported a cybersecurity incident that disrupted access to its website and mobile application for many customers.
Although WestJet’s flights and operational infrastructure were not affected, the incident raised serious concerns over employee impersonation, social engineering, and how quickly attackers can bypass even strong protections like multi-factor authentication (MFA). Let's explore what happened, who might be behind it, and the cybersecurity lessons every organization should learn.
What Happened in the WestJet Cyber Attack?
WestJet officially announced in June 2025 that it had experienced a cybersecurity breach that caused:
-
Intermittent access issues for users on its website and mobile app
-
A compromise in some internal systems
-
An ongoing investigation into data exposure, though no customer data leak was confirmed as of July
Although customers faced inconvenience, flight schedules, booking operations, and customer service remained operational during the incident. This points to a targeted attack likely focused on back-end systems or internal IT access.
Who Is Behind the Attack?
According to a later FBI alert, the WestJet incident might be connected to a known cybercrime group called Scattered Spider (also known as UNC3944 or Muddled Libra).
This group is notorious for targeting industries like airlines, hotels, and healthcare using:
-
Social engineering attacks
-
Help desk impersonation
-
SIM swapping and MFA bypassing
-
Ransomware deployment
-
Credential theft and privilege escalation
They often trick IT or helpdesk teams into giving access to systems by pretending to be internal employees, using urgent language or fake employee IDs.
Breakdown of the WestJet Cyber Attack
Here’s a structured view of what we know so far:
| Category | Details |
|---|---|
| Date of Incident | June 2025 |
| Target Organization | WestJet Airlines (Canada) |
| Type of Attack | Social Engineering + Internal System Compromise |
| Disruption | Website and app access issues |
| Flight Operations | Not affected |
| Suspected Threat Actor | Scattered Spider |
| Attack Vector | Impersonation of employees, Helpdesk trickery, MFA bypass |
| Data Breach Confirmed? | Investigation ongoing; no confirmation of sensitive data breach yet |
| Response by WestJet | Investigation, public announcement, customer advisories |
| FBI Warning | Alerted about growing airline threats from the same threat group |
How Did the Attack Happen?
Scattered Spider’s method is more psychological than technical. Here’s a general process they follow:
-
Reconnaissance – They collect names, job titles, phone numbers, or internal lingo from LinkedIn, data leaks, or past breaches.
-
Impersonation – They call or email IT support or help desks, pretending to be employees who are locked out.
-
Bypass MFA – They use SIM-swapping, voicemail hijacking, or pressure tactics to convince IT to reset MFA or send login codes to attacker-controlled devices.
-
Initial Access Gained – They log in using valid credentials.
-
Lateral Movement – They move through the network to reach sensitive systems.
-
Data Exfiltration – In some cases, they steal sensitive customer data, credentials, or deploy ransomware.
Why the Airline Industry Is a Target
Airlines store vast amounts of sensitive customer information, including:
-
Passenger names and contact details
-
Travel and payment data
-
Loyalty program credentials
-
Flight planning and crew scheduling systems
They also rely heavily on legacy systems and third-party platforms that can be hard to secure. The distributed workforce and constant shift schedules also make it easier for attackers to trick employees or helpdesk teams.
Lessons Learned from the WestJet Incident
This cyberattack is a wake-up call for all industries, not just airlines. Here are the key takeaways:
1. Train Employees Against Social Engineering
Your first line of defense is awareness. Regularly train all staff, especially help desk and IT teams, to recognize:
-
Impersonation attempts
-
Urgent requests that demand quick access
-
Common red flags in phishing calls or emails
2. Strengthen MFA with Contextual Security
While MFA is critical, it's not foolproof. Companies must use adaptive MFA that also considers:
-
Device location
-
User behavior
-
Time of access
-
Impossible travel detection
3. Verify Internal Requests
Establish strict verification policies for password resets, MFA requests, and remote access. Use callback procedures or internal employee video verification for sensitive actions.
4. Segment and Monitor Internal Networks
Even if attackers get in, network segmentation can stop them from reaching high-value systems. Use real-time monitoring, SIEM tools, and access logs to detect unusual behavior.
Conclusion
The WestJet cyber attack in June 2025 highlights how attackers are moving away from brute-force techniques and instead targeting human weaknesses. As social engineering becomes more common, businesses must look beyond just firewalls and antivirus tools.
A layered defense strategy, employee awareness, and strict verification protocols are essential to prevent such breaches. WestJet’s quick response and transparency are commendable, but the bigger lesson is clear: no organization is immune, and preparedness is the best protection.
FAQs
What was the WestJet cyber attack in June 2025?
The WestJet cyber attack in June 2025 was a cybersecurity incident that disrupted access to the airline's website and mobile app, although flights were unaffected.
Who was behind the WestJet cyber attack?
The FBI suspects the attack may be linked to the Scattered Spider threat group, known for targeting airlines using social engineering.
What systems were impacted in the WestJet cyber attack?
WestJet’s website and mobile app faced intermittent access issues. Internal IT systems were compromised, but flight operations continued normally.
Did WestJet lose customer data in the attack?
As of the last report, WestJet was still investigating whether any sensitive customer data was accessed or stolen.
How does Scattered Spider conduct its attacks?
They use social engineering tactics, often impersonating employees to trick IT help desks into giving access and bypassing multi-factor authentication.
What is social engineering in cyber attacks?
Social engineering is a manipulation technique where attackers deceive people into giving up confidential information or access to systems.
What is MFA and how did attackers bypass it?
MFA stands for multi-factor authentication. Scattered Spider bypassed it by impersonating legitimate employees to IT staff who then unknowingly granted access.
Was ransomware used in the WestJet cyber attack?
Although not confirmed, Scattered Spider is known to exfiltrate data first and then deploy ransomware as a second-stage attack.
Was WestJet the only airline targeted?
No, Scattered Spider has increasingly targeted the airline sector, and several other airlines have reported similar attacks.
How long did the disruption last?
WestJet reported intermittent website and app disruptions during the incident, but did not specify exact duration.
Were any flights canceled due to the attack?
No, flight operations remained unaffected throughout the cyber incident.
How did WestJet respond to the attack?
WestJet launched an internal investigation and worked with cybersecurity professionals and law enforcement agencies.
Did the FBI issue any warnings?
Yes, the FBI warned the airline industry about Scattered Spider and their growing attacks on internal systems via social engineering.
What are impersonation attacks?
These are attacks where cybercriminals pretend to be employees to gain unauthorized access to systems.
How can airlines defend against such attacks?
Airlines should adopt multi-layered defenses including security awareness training, better IT helpdesk protocols, and stronger MFA implementations.
What should IT helpdesk staff be trained on?
They should be trained to detect impersonation attempts and verify employee identity before granting system access.
How common are cyber attacks in the airline industry?
Cyber attacks on airlines are growing due to the large amount of sensitive personal and financial data involved.
What is internal system compromise?
It refers to unauthorized access and control of an organization’s internal servers or tools, often leading to data theft or further attacks.
How do attackers avoid detection?
Groups like Scattered Spider use techniques such as smart detection evasion, monitoring for analysis tools, and quickly shutting down if discovered.
What is the role of security awareness training?
It educates employees about threats like phishing, impersonation, and other social engineering tactics, reducing the risk of human error.
How do cybercriminals exfiltrate data?
They extract or copy sensitive data from compromised systems, which can then be sold or used for extortion.
Can MFA alone stop cyber attacks?
No, attackers are finding ways to bypass MFA, especially through human manipulation. MFA must be part of a broader security strategy.
What is the impact of downtime on airline services?
Even if flights run normally, downtime of digital services impacts customer experience, booking, and brand trust.
Has WestJet recovered from the attack?
WestJet restored its digital services and continued investigating the incident with the help of experts.
Is it safe to book with WestJet after the attack?
Yes, there has been no indication that flight safety or future bookings were compromised.
What is Scattered Spider’s main objective?
Their goal is to steal sensitive data and, in many cases, demand ransom payments after system access.
How can customers protect themselves?
By using strong, unique passwords and enabling MFA where available. Staying informed about phishing tactics also helps.
What tools do attackers use to monitor analysis?
They detect tools like Selenium, Burp Suite, and redirect sessions to avoid detection and prevent investigation.
How can organizations verify identity during IT support?
By using secure identity verification tools like OTPs, ID verification software, or callback verification protocols.
What sectors are most at risk from social engineering?
Airlines, healthcare, finance, and government sectors are high-value targets for these sophisticated social engineering attacks.
Is this a trend or an isolated case?
It's part of a growing trend of cybercriminals using human manipulation to breach corporate security in high-value industries.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
