Cybersecurity incident - WestJet

On June 14th, 2025, WestJet announced it became aware of a cybersecurity incident affecting parts of its internal software architecture. Affected areas included WestJet's mobile app, some of its servers, software systems (although they have not specified which ones), and "internal systems".

Airline System Vulnerabilities

Airlines face several critical cybersecurity vulnerabilities due to their complex, interconnected systems:

Operational Technology (OT) Systems: Flight management systems, air traffic control interfaces, and ground operations systems are often legacy systems that weren't designed with modern cybersecurity in mind. These systems control critical safety functions and are increasingly connected to corporate networks.

Customer-Facing Applications: Mobile apps, reservation systems, and passenger service systems handle vast amounts of personal and payment data. They're attractive targets because they're internet-facing and contain valuable information.

Supply Chain Dependencies: Airlines rely on numerous third-party vendors for everything from catering to maintenance systems. Each vendor connection creates potential entry points for attackers.

Employee Access Systems: With thousands of employees across multiple locations, managing access controls is complex. Privileged accounts for maintenance, operations, and IT staff are particularly valuable to attackers.

Communication Networks: Airlines use various communication systems including ACARS (Aircraft Communications Addressing and Reporting System), which can be vulnerable to interception and manipulation.

WestJet Vendors and Systems

Primary Reservation System: WestJet uses Sabre's SabreSonic passenger service system (PSS) and renewed their agreement in 2021. This handles reservations, inventory management, and customer data.

Aircraft Fleet: WestJet operates Boeing 787-9 Dreamliners and Boeing 737-8 MAX aircraft, which use Boeing's flight management systems and avionics.

Other Known Partners: WestJet has codeshare agreements with Aeromexico, Air France, and Qantas, and previously had a capacity purchase agreement with Pacific Coastal Airlines for WestJet.

Typical Airline System Architecture

Flight Management Systems: Boeing aircraft typically use Boeing's Flight Management Computer (FMC) systems integrated with Honeywell, Collins Aerospace, or Thales avionics.

Air Traffic Control Interfaces: Airlines use ACARS (Aircraft Communications Addressing and Reporting System) and ADS-B (Automatic Dependent Surveillance-Broadcast) systems to communicate with air traffic control.

Ground Operations: These typically include aircraft maintenance tracking systems, crew scheduling systems, baggage handling systems, and gate management systems from vendors like SITA, Amadeus, or proprietary solutions.

Most Likely Attack Vector Analysis

Given the available information and common attack patterns, here is the most probable attack route:

Supply Chain Compromise: The most likely scenario is a compromise through a third-party vendor or service provider. Airlines rely heavily on external vendors for IT services, maintenance systems, catering, ground handling, and other services. An attacker could have gained initial access through a less-secured vendor system and then moved laterally into WestJet's network.

Specific Probable Vectors:

1. Remote Access Tools: Many airlines expanded remote access capabilities during COVID-19. Poorly secured VPN endpoints or remote desktop services could provide initial access.

   
   

2. Email-Based Attack: Spear-phishing targeting employees with access to critical systems, possibly using social engineering related to operational disruptions or urgent maintenance issues.

   
   

3. Third-Party Software Vulnerability: An unpatched vulnerability in a commonly used airline software system (scheduling, maintenance, or customer service platforms).

The fact that flight operations continue safely suggests the attackers either didn't target operational technology systems or WestJet has good network segmentation. The focus appears to be on business systems, which often contain valuable customer data and financial information.

The incident's timing and scope suggest this could be a ransomware attack targeting business continuity rather than safety systems, which would explain why some internal systems and the mobile app are affected while flights continue operating.

The fact that flight operations continue safely suggests the attackers either didn't target operational technology systems or WestJet has good network segmentation. The focus appears to be on business systems, which often contain valuable customer data and financial information.

The incident's timing and scope suggest this could be a ransomware attack targeting business continuity rather than safety systems, which would explain why some internal systems and the mobile app are affected while flights continue operating.

What's Missing

One valueable area for hackers to datamine are typically job postings. WestJet appears to have removed the majority of this information from their job postings, having either learned this lesson before, or had the awareness to plan for this inevitable predicament. Information from job postings can be valueable. Insights can be gathered on the following:

Technology Stack: Companies often list specific software, programming languages, databases, and cloud platforms they use (e.g., "Experience with SAP, Oracle, AWS, Azure")

Security Tools: Cybersecurity job postings frequently mention specific security platforms, SIEM tools, vulnerability scanners, and compliance frameworks

Network Infrastructure: IT positions often reference specific networking equipment, virtualization platforms, and enterprise software

Legacy Systems: Requirements for maintaining older systems can reveal potential security vulnerabilities

Organizational Structure: The types of roles and responsibilities can indicate how security is organized and where gaps might exist

Why is this data valuable?

Including specific data on job postings is concerning because it may provide attackers with:

• Attack Surface Mapping: Understanding what systems and technologies to target

  
  

• Social Engineering Intelligence: Information about employees, roles, and organizational structure

  
  

• Vulnerability Research: Knowing specific software versions to research for exploits

  
  

• Credential Targeting: Understanding what types of access different employees have

Defensive Recommendations

Organizations should consider:

• Job Posting Reviews: Regularly review job postings to ensure they don't reveal sensitive technical details

  
  

• Generic Technology Descriptions: Use broader terms rather than specific product names and versions

  
  

• Security Awareness: Train HR and hiring managers about information security implications

  
  

• Threat Intelligence: Monitor for reconnaissance activities targeting your organization's job postings