July 14, 2026
OPCPIPEDASafeguardsWestJet Data Breach: MFA Was Bypassed, Not Broken
By Yong Du
WestJet's attacker didn't break MFA — they impersonated an employee to bypass it. The question isn't 'do we have MFA' but how you verify identity.
What happened
On June 12, 2025, an attacker used social engineering to impersonate a WestJet employee — using that employee's own personal information — and bypassed multi-factor authentication to reach an account with administrator privileges. The attacker then moved laterally through WestJet's systems, deployed ransomware, took control of its virtual servers, and exfiltrated data from cloud storage. WestJet discovered the breach the same day, posted a public advisory on June 13, and reported it to the Office of the Privacy Commissioner of Canada (OPC) on June 14.
About 5.16 million Canadian employees and customers were affected — names, dates of birth, contact details, and, for some, passport numbers and other government identifiers. Because airlines are federally regulated, the obligations here fall under PIPEDA, not Alberta PIPA.
MFA was bypassed, not broken
On August 5, 2025, the Commissioner opened a Commissioner-initiated investigation into two questions: were WestJet's security safeguards adequate, and was its notification to affected individuals adequate. It ended with a compliance letter signed July 8, 2026 — not a finding of wrongdoing — in which WestJet committed to an independent security assessment and to closing any gaps it identifies.
The instructive part is how the account was reached. On the facts in the letter, MFA was not defeated technically. The attacker got around it by posing as the employee and using that person's own personal information — a social-engineering problem, not a cryptographic one.
Where the accepted remediation lands says the rest. Alongside moving to stronger MFA methods (authenticator apps, hardware keys) and least-privilege access, WestJet committed to requiring live video or in-person verification before most credential and MFA resets. The control doing the heavy lifting is identity verification: proving someone is who they claim before you trust or re-issue their access.
What it means for your safeguards
PIPEDA requires safeguards appropriate to the sensitivity of the information (Principle 7), and the OPC weighed WestJet's against that standard. The lesson scales to any size. The safeguard question is not "do we have MFA." It is "how do we verify identity before we trust or re-issue it" — at the help desk, during a password or MFA reset, when a privileged account changes hands.
What to do now
- Map every way an employee's access can be reset or re-issued — help desk, self-service, admin override — and decide how identity is verified at each point.
- Move privileged accounts to stronger MFA (authenticator apps or hardware keys) and least-privilege access.
- Confirm your breach response names who assesses real risk of significant harm, and how fast — WestJet reported in two days.
Start your breach assessment → — or see a sample breach report first.
Related guides
- PIPEDA Compliance Requirements — the safeguards, access controls, and training regulators expect before a breach
- PIPEDA Breach Reporting Requirements — when to report to the OPC, who to notify, and what to keep
- What Is Real Risk of Significant Harm (RROSH)? — the threshold that triggers reporting and notification
- Unauthorized Employee Access — Quick Reference — first steps when an account is compromised
Source: Office of the Privacy Commissioner of Canada — Compliance Letter, WestJet (file PIPEDA-051877), signed July 8, 2026.
ClearBreach covers PIPEDA, Alberta PIPA, and BC PIPA. Quebec Law 25 and Ontario PHIPA are outside our scope. If your organization operates in Quebec, engage Quebec-specific privacy counsel.
This article is educational and does not constitute legal advice. It is grounded in published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.