Breach exposes WestJet customer profiles
WestJet says “it has become aware” that profile data for some of its WestJet Rewards program members was revealed online by what the company calls an unauthorized third party.
The disclosed data did not include credit card or banking information, WestJet said. The company said it is working with the Calgary Police Service and the RCMP in their investigation of the privacy breach.
“WestJet is in the process of contacting affected guests and we deeply regret any inconvenience this may cause,” Craig Maccubbin, WestJet’s executive vice-president and chief information officer, said in a news release.
“It’s hard to say whether (the attack) was targeted,” said cybersecurity expert and former Calgary police officer Kathy Macdonald. She said the hackers might have been testing the security parameters of the WestJet network for another breach, or simply wanted the user information.
The company says it has notified the Information and Privacy Commissioner of Alberta and the federal privacy commissioner about the disclosure of personal information.
Macdonald said companies that gather identifying information are being targeted all the time, even if they don’t collect credit card details. She said WestJet should take this opportunity to examine their security and strengthen it.
These companies do protect as much as they can, but there is no foolproof protection available ... It’s like a lock on the door kind of thing.
Companies should dispose of data that is no longer needed, determine if they are collecting more information than they need and ensure proper protection for their most valuable information.
Events like these are becoming increasingly common.
“A lot of the big organizations have been targeted — multiple times even. Target, Home Depot, Sony, the Hilton family, P.F. Chang’s, I mean the list just goes on and on,” Macdonald said.
She said email is one of the most common attack targets, through which hackers send well-crafted messages drawing people to click a link or send personal information.
Last month, personal details about patrons of Calgary’s Cowboys Casino were put online by hackers a year after a massive cyber attack. Information about customer payouts, tracking of gambling habits and the casino’s “elite members list” were among the stolen data.
In May, a High River charity called Rowan House thwarted an attempted hacking incident by abandoning its website.
In 2016, the University of Calgary paid $20,000 after a ransomware cyberattack took command of its computer systems. Similarly, in November of last year, Ottawa’s Carleton University became a victim of a similar attack and hackers demanded the school pay bitcoins in exchange for access to its computer networks.
For consumers, Macdonald said people should be selective to minimize as much risk as possible.
“These companies do protect as much as they can,” she said, but there is no foolproof protection available.
“It’s like a lock on the door kind of thing. Nothing is 100 per cent.”