SecurityBrief Canada - Technology news for CISOs & cybersecurity decision-makers
Canada

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Worried traveler holding passport id computer warning symbol realistic
#
Data Protection
#
MFA
#
Physical Security

WestJet data breach exposes passports, fuelling identity fraud risks

Wed, 8th Oct 2025
Author image
By Kaleah Salmon, Journalist

A recent cyberattack on WestJet has resulted in the exposure of sensitive passenger documents, including passports and government-issued IDs, raising concerns about the long-term risks of identity theft and the increasing use of such documents in synthetic identity fraud.

Details of the breach

WestJet, an airline transporting more than 25 million passengers each year across over 100 destinations, confirmed that a cybersecurity incident in June led to unauthorised access to passenger information. Notifications sent to affected customers and authorities revealed that the compromised data included passengers' full names, dates of birth, mailing addresses, travel records, accommodation and complaint details, WestJet Rewards Member IDs and point balances, as well as travel documents, such as passports and government-issued IDs. Details linked to WestJet RBC Mastercards were also affected, though payment card numbers, CVVs, expiry dates, and passwords were not exposed.

Industry analysts emphasise that the exposure of documents, such as passports and IDs, is significantly more serious than a breach involving only payment cards. This is due to the challenges in replacing official documents and the persistent risk posed by the data, which can remain valuable to malicious actors for years.

Rising synthetic identity fraud

The incident comes amid a broader trend of escalating synthetic identity theft. An analysis by Incogni, a personal data privacy company, has shown that passports and IDs are now highly prized assets for cybercriminals. These documents, often referred to as the 'gold standard' in fraud, are crucial in constructing false identities used in various fraud schemes. According to Incogni's recent Analysis of Cybercrime and Fraud Statistics, identity theft has been the predominant type of cybercrime for five consecutive years. Recent estimates indicate that identity theft occurs every 22 seconds in the United States.

Incogni also reported that passport or national ID documents are targeted in almost half (47%) of document fraud cases. Losses attributed to identity theft currently average USD $1,160 per victim, with annual damages exceeding USD $16 billion.

"Individuals and organisations need to better protect, and whenever possible by any means necessary not share, sensitive data in an era where it is now being used not just being stolen by cybercriminals and nation states but also by legitimate organisations that are using it for their own purposes to manipulate specific outcomes," said Ron Zayas, CEO of Incogni.

Long-term risks

Security experts caution that the risks associated with stolen identity documents persist long beyond the initially offered period of monitoring support, which in WestJet's case is two years. While credit cards can be reissued and payment information changed quickly, compromised passports and IDs can be used to facilitate synthetic identity fraud, counterfeiting, and impersonation schemes for years to come.

The exposure of travel records also increases the likelihood of targeted phishing or impersonation attempts, as criminals can use contextual details to make their attacks more convincing. Passports and IDs, in combination with information about travel history, provide a comprehensive profile that fraudsters can utilise.

Recommended steps for travellers

Incogni recommends several measures for affected passengers and the wider travelling public. These include enrolling in identity theft monitoring programmes (such as the two years of free coverage being provided by WestJet), using strong and unique passwords, and enabling multi-factor authentication to secure online accounts. Travellers are also advised to actively remove personal contact details and associated information from people-search websites and data broker platforms. Doing so reduces the surface area available to criminals attempting to build synthetic identities or conduct scams.

In the event of suspicious phone calls or emails, Incogni urges individuals to report incidents to the appropriate national anti-fraud hotlines, such as the Canadian Anti-Fraud Centre and the US Federal Trade Commission, to help authorities track and respond to new scams quickly.

Industry experts anticipate a surge in synthetic identity fraud, particularly involving high-value documents such as passports and government-issued IDs, to accelerate in 2026. As a result, both individual travellers and organisations are being reminded to carefully protect their personal information and remain vigilant for signs of identity theft.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Ken Washington named chairman at i-GENTIC AI to drive governance
Arista & Palo Alto Networks launch new AI-era data centre security
Instagram posts fuel surge in money mule recruitment schemes
SOTI upgrades platform to boost retail device security & speed
Retailers face surge in AI-driven cyber threats & supply chain risks

Top stories

Most organisations neglect key security in rapid AI adoption
CISOs see pay rise outpace budgets as market activity intensifies
Wrap up of Commvault Cloud Unity unifies data, cyber & identity resilience
Tenable named leader in 2025 Gartner quadrant for exposure platforms
Duality & Google Cloud launch confidential AI with GPU power