WestJet says customer data exposure affected less than 0.05% of customers

WestJet says a technical issue that exposed the personal data of some of its online users to other customers affected only a small number of people, and that staff would be following up with them.

On Wednesday, several people told CBC News they could see profile information of other users which included phone numbers, home addresses, dates of birth, email addresses, WestJet dollar and flight voucher details, and in some cases, the last four digits of a user's credit card number.

WestJet said the issue was identified in the late afternoon on Wednesday and was resolved in about a half hour.

This mix-up of customer data was on both the WestJet app and online site.

In an updated statement Thursday, the airline company said less than 0.05 per cent of user profiles were affected. WestJet said specific numbers are not publicly available due to the confidentiality of its rewards program.

The airline said the issue arose due to a change in technology. It also said that information like passwords, credit card numbers and passport details were not exposed.

"We take the privacy of our guests extremely seriously, and we sincerely apologize to those impacted," WestJet said in a statement.

But one WestJet customer who spotted the glitch Wednesday remains concerned that it happened in the first place.

"I don't think they're taking it seriously enough," said Derek Bowen, who was able to see another customer's information.

Bowen, who is from Nanaimo, B.C., worries the problem could have lasted longer than the airline believes, and fears he and his wife's data could have been exposed.

"I think WestJet needs to be more transparent as to what happened," said Bowen, adding he reported the issue via Twitter but had yet to receive a substantial followup by Thursday morning.

Bowen said he plans on removing the credit card he keeps on file, as well as his Nexus card. He will also change his password.

 A spokesperson for the Office of the Privacy Commissioner of Canada said Friday that it had not received any complaints about the incident.

However, he said the office is "aware of the matter" and has been in communication with WestJet to obtain more information and determine next steps. 

Don't save credit card info online: cybersecurity expert

Changing your password regularly should be standard practice as an online consumer, said John Zabiuk, chair of NAIT's cybersecurity program in Edmonton.

Zabiuk suspects WestJet's issue had something to do with session IDs, the unique connection code created when a computer or device connects to a server.

WestJet said the problem occurred Wednesday "as a result of an internal technology change," in their online statement.

Zabiuk said it's a "tough situation" for customers who want to avoid situations like this as transportation booking sites often require personal information and documents to complete purchases.

Simple steps he recommends are to frequently change passwords, make sure a password is strong (and not easy to guess), not use the same password across multiples accounts and to never save credit card information online.