WestJet has revealed that some customer information was accessed during a cyberattack in June, though the airline maintains that the majority of cases did not involve “sensitive” data.

On Monday, the carrier issued a notice to U.S. residents as part of its investigation into the June 13 breach, describing the attack as the work of a “sophisticated, criminal third party.”

The company emphasized that its internal safeguards prevented hackers from obtaining payment details such as credit and debit card numbers, expiration dates, CVV codes, and user passwords. However, certain personal information was exposed. This included passengers’ names, contact information, travel-related documents, reservation details, and data reflecting their relationship with WestJet.

“Containment is complete, and some additional system and data security measures have been implemented,” WestJet stated in its release. “However, analysis is ongoing, and WestJet will continue to take measures to further enhance its cybersecurity protocols.”

The airline confirmed that it is directly notifying affected customers, offering guidance through its website, and has engaged Cyberscout to provide fraud prevention and remediation services.

Authorities, including the U.S. Federal Bureau of Investigation (FBI) and the Canadian Centre for Cyber Security, are working with WestJet on the probe.

 Notifications have also been sent to U.S. credit reporting agencies — TransUnion, Experian, and Equifax — as well as several state attorneys general, Transport Canada, the Office of the Privacy Commissioner of Canada, and other relevant regulators worldwide.