Full Report
Canadian airline WestJet is investigating a cyber-attack that struck on June 13
Analysis Summary
# Incident Report: WestJet Customer Service Cyber-Attack
## Executive Summary
WestJet, Canada's second-largest airline, experienced a cybersecurity incident beginning around Friday, June 13th (implied date based on reporting) that impacted internal systems and the WestJet app, leading to restricted access for several users. While flight operations remained unaffected, customer-facing services were disrupted. The response involved activating specialized internal teams, cooperating with law enforcement and Transport Canada, and managing customer expectations through periodic updates.
## Incident Details
- **Discovery Date:** Friday (implied, based on statement release)
- **Incident Date:** Beginning Friday (specific start time unknown)
- **Affected Organization:** WestJet Airlines
- **Sector:** Airline/Aviation
- **Geography:** Canada (Headquartered in Calgary)
## Timeline of Events
### Initial Access
- **Date/Time:** Friday (Start date unspecified)
- **Vector:** Not explicitly disclosed in the provided text. Stated as a "cybersecurity incident involving internal systems."
- **Details:** The incident restricted access for several users attempting to use the WestJet app and potentially other online services.
### Lateral Movement
- Details are not provided in the summary text.
### Data Exfiltration/Impact
- The primary impact was **operational disruption** to the WestJet app and website access.
- The statement advised guests and employees to "exercise additional caution at this time, especially when sharing personal information," implying potential compromise of customer or employee data.
### Detection & Response
- **How it was discovered:** WestJet detected the activity on internal systems, leading to the decision to issue public statements beginning Friday.
- **Response actions taken:**
1. Activated specialized internal teams.
2. Engaged law enforcement.
3. Engaged Transport Canada.
4. Issued periodic updates (roughly every 12 hours over the weekend).
## Attack Methodology
*Note: Since the article is an initial report, specific TTPs are largely speculative or based on general incident response.*
- **Initial Access:** Unknown.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown; the incident was detected, indicating some security controls were active.
- **Credential Access:** Potential threat, as customers were warned about sharing personal information.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Potential, given the warning regarding personal information sharing, suggesting exploration of customer data stores.
- **Exfiltration:** Unknown, but hinted at by the caution regarding sharing personal data.
- **Impact:** Disruption of online services (website/app accessibility).
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Potential PII/personal data exposure suggested by warnings to customers, though verification was pending.
- **Operational:** Intermittent interruptions or errors for customers using the WestJet app and website. Flight operations were *not* affected.
- **Reputational:** Negative impact due to service outages and mandatory public communication regarding a security incident.
## Indicators of Compromise
*No specific IOCs (IPs, domains, hashes) were provided in the text.*
- **Behavioral indicators:** Restricted access to internal systems, customer-facing application errors.
## Response Actions
- **Containment measures:** Activation of specialized internal teams to limit impacts.
- **Eradication steps:** Not specified, as investigation was ongoing.
- **Recovery actions:** Working to restore full functionality/resolve the issue, demonstrated by ongoing updates.
## Lessons Learned
- **Key takeaways:** Immediate activation of stakeholders (law enforcement, regulatory bodies like Transport Canada) is crucial for response coordination.
- **What could have been done better:** The immediacy of disclosure versus the need for comprehensive details is a challenge; the article notes it was "too early to speculate on details."
## Recommendations
- Implement enhanced monitoring on customer-facing authentication and application services.
- Review and test incident response playbooks specifically addressing major service availability impacts.
- Prepare standardized, detailed customer communication templates for data compromise scenarios vs. service disruption scenarios.