Brief: On June 14, 2025, WestJet confirmed a serious cyber attack that disrupted operations and triggered federal investigation. While most headlines focused on travel delays, the real takeaway is this: no Canadian business—regulated or not—is immune to the downstream impact of cyber attacks on critical infrastructure. This article breaks down what the breach means for mid-sized organisations, why Bill C‑26 and cyber insurance are raising the bar for readiness, and how co-managed Cyber Security is becoming the default model for resilient Canadian companies. Learn what every executive should be asking right now—and why Cyber Security is no longer just an IT issue, but a board-level one.
“You may not be interested in war, but war is interested in you.” — Leon Trotsky
WestJet’s Breach Should Worry Every Canadian Business Leader
On 14 June 2025, WestJet confirmed it was the target of a cyber incident. The airline disclosed disruptions to its mobile app and internal systems, with reports indicating involvement from Transport Canada and law enforcement. The full extent of the compromise remains unclear, but the message was unmistakable: this wasn’t a drill. And if you’re in the business of critical services—transportation, healthcare, finance, manufacturing—you should be paying close attention.
WestJet isn’t an SMB. But its breach is exactly the kind of upstream event that ripples through every tier of the Canadian economy. Mid-market companies—especially those with internal IT teams—need to stop thinking like bystanders and start preparing like participants. Because whether you’re regulated or not, your customers, partners, and insurers are treating you like you are.
This post isn’t about the airline. It’s about what this breach means for your business.
The Breach: What We Know So Far
WestJet reported a cybersecurity event that forced it to temporarily disable parts of its digital infrastructure, including its mobile app. The attack occurred on the heels of other high-profile disruptions to critical infrastructure players in Canada—Emera, Nova Scotia Power, and London Drugs among them. No ransomware group has claimed responsibility yet, but early reports suggest the breach may involve data access and operational interruption.
While most Canadian media outlets focused on consumer travel delays, the real story for business leaders is this: WestJet’s breach is not isolated. It’s part of an accelerating trend targeting companies that keep Canada running.
If They Can Be Hit, So Can You
WestJet has a mature IT function, compliance obligations, and a board that takes cyber risk seriously. Yet, like many enterprises, they’re still vulnerable—especially through third-party applications, mobile endpoints, and supply chain dependencies.
So where does that leave mid-sized Canadian businesses?
Most mid-market firms now operate in hybrid environments: internal IT teams managing some systems, with third-party providers covering others. This co-existence creates both capability and complexity. And complexity—especially around integration points—is exactly what attackers exploit.
This is not about alarmism. It’s about realism.
Canadian Mid-Market Firms Are Already in the Blast Radius
You may not be an airline. But odds are, you’re connected to one—or to a hospital network, energy provider, or financial institution. And that connection is all it takes. Modern threat actors don’t target businesses based on size—they target based on access.
If your organisation:
-
Shares customer or payment data with larger enterprises
-
Connects via APIs, EDI, or shared SaaS tools
-
Provides subcontracted or outsourced services to regulated industries
-
Operates in healthcare, law, finance, logistics, or manufacturing
…then you’re part of the attack surface, whether you realise it or not.
More Than WestJet: 2025 Has Already Been a Rough Year for Canadian Cyber Security
If you think WestJet is an isolated case, think again. Here’s what else has already happened in Canada this year:
- Hamilton-Wentworth District School Board (January 2025) – A breach knocked out email and phones across the district. Response teams scrambled to contain the fallout.
- Ontario Public Service Employees Union (March 2025) – OPSEU reported unauthorised access to internal systems. Investigations are still ongoing.
- Emera & Nova Scotia Power (April 2025) – Both confirmed a cyber incident that affected operational tech. These are core pieces of Canada’s energy infrastructure.
- WestJet (June 2025) – A cyber attack forced the airline to disable its app and internal systems. Federal agencies were called in.
Each one disrupted essential services—and each one forced leadership teams to answer hard questions under pressure.
The lesson? You don’t need to be the target to be in the blast zone. If you’re connected—by data, by contract, by cloud—you’re already exposed.
The Leadership Blind Spot: Mistaking Internal IT for Internal Resilience
Too often, Canadian executives assume their internal IT team has things covered. After all, you’re patched, firewalled, and running backups. But the lesson from WestJet is this: that’s not enough.
Cyber maturity today isn’t about baseline hygiene—it’s about response capability.
-
Can you simulate a real-world breach scenario across departments?
-
Can you measure the cost of 3 hours of operational downtime?
-
Can you demonstrate to insurers, regulators, or customers that you have a board-level cyber plan?
If not, then your organisation isn’t resilient—it’s just lucky.
What Bill C‑26 Changes for You—Even If You’re Not Regulated
Canada’s Bill C‑26, the Critical Cyber Systems Protection Act, is expected to formally take effect in 2025. While it directly applies to federally regulated critical infrastructure providers, its impact will cascade downstream to their partners, vendors, and contractors. That means even if you’re not directly regulated, your business will feel the pressure to comply.
In practice, this means:
-
Customer audits: More RFPs and contracts now include mandatory cyber disclosures.
-
Insurance hurdles: Cyber insurers are demanding proof of breach response protocols, not just coverage wish lists.
-
Operational strain: Internal teams are expected to simulate incidents, produce metrics, and update policies—without additional headcount or budget.
Bill C‑26 won’t just impact telecoms and airlines. It’s already cascading down to their vendors and partners—which means your business is in scope.
Why Co-Managed Cyber Security Is Becoming the Default
You don’t need another vendor. You need a partner who can augment your internal IT with outcome-driven security expertise—especially in the face of rising complexity, compliance demands, and board scrutiny.
Co-managed Cyber Security is not outsourcing. It’s collaboration.
At F12, we see Canadian mid-market businesses increasingly adopt a co-managed model because it:
-
Closes capability gaps without replacing your team
-
Provides breach simulation and executive tabletop exercises
-
Improves reporting and visibility for insurance and board review
-
Links Cyber Security efforts to business outcomes, not just technical tasks
Most importantly, it helps leaders lead. Because Cyber Security today is no longer just an IT function—it’s a business continuity function.
Three Executive Actions You Should Take This Month
Whether you’re a COO, CFO, or President, you don’t need to understand every technical detail of the WestJet breach to know this: you’re accountable for your organisation’s readiness. Here’s what that should look like:
1. Simulate a Breach Response
Gather your IT lead, operations manager, and head of finance. Walk through a 3-hour system outage triggered by a ransomware alert. Ask:
-
Who’s in charge?
-
What gets shut down?
-
What do we tell customers?
-
How do we involve law enforcement or insurers?
Then ask your team how long it would really take to recover.
2. Audit Your Supply Chain Exposure
Map out your 10 most critical vendors. Do they connect directly to your systems? Have they been vetted for cyber maturity? Do your contracts include breach notification obligations?
If not, you may be absorbing risk you don’t control—and won’t see coming.
3. Review Your Executive Reporting
Can you quantify:
-
Downtime risk in dollar terms?
-
The value of Cyber Security spend beyond “keeping the lights on”?
-
Your alignment with Bill C‑26 or other frameworks?
If the answer is “sort of,” then you’re not ready for your next board meeting—or your next client RFP.
Breaches Are the New Benchmark
WestJet’s breach wasn’t just a disruption—it was a test. Not just of their systems, but of their leadership, communications, and resilience. Canadian mid-market firms should take this as a free (and rare) opportunity: to prepare before it’s your turn.
Because once a breach hits your doorstep—whether through a third party, a mobile vulnerability, or a credential leak—it’s too late to build a plan. The response will be public. The impact will be felt. And the standard you’ll be judged by will be: “Did you see this coming?”
Cyber Maturity Is Measured in Outcomes, Not Promises
The real message of the WestJet breach is not “be scared.” It’s “be ready.” Readiness isn’t a matter of budget size or headcount—it’s a matter of having a repeatable, measurable, board-visible process for responding to what’s now a business inevitability.
At F12, we work with mid-market companies every day to move from hope to confidence. We don’t just manage systems—we simulate threats, validate responses, and help leadership teams speak the language of risk.
If you’re serious about modernising your Cyber Security posture, the conversation needs to start in the boardroom—not the server room.
Book a Breach Simulation
F12 is currently offering executive-level breach simulation workshops designed specifically for Canadian mid-market companies. These are not technical drills—they’re strategic scenario walkthroughs that surface gaps, define responsibilities, and prepare you for the inevitable. Book your simulation now or contact us to learn more.
You don’t need to be breached to learn from one. But you do need to act before it’s your headline.
Frequently Asked Questions (FAQs)
1. What happened in the WestJet cyber attack in 2025?
WestJet confirmed a cyber incident on 14 June 2025, impacting its mobile app and internal systems. While full details remain under investigation, the breach prompted law enforcement and Transport Canada involvement, highlighting its seriousness and potential regulatory implications.
2. Why should Canadian SMBs and mid-market businesses care about a large enterprise breach?
Large breaches expose vulnerabilities across entire supply chains. If you’re digitally connected to larger partners—as a vendor, customer, or integrator—you may be indirectly targeted or directly impacted. Breaches like WestJet’s reveal how interconnected and exposed most Canadian businesses now are.
3. What is co-managed IT and how does it support breach resilience?
Co-managed IT is a partnership model where your internal IT team works alongside a dedicated external provider (like F12) to strengthen Cyber Security posture. This includes breach simulation, response planning, threat detection, and compliance reporting—delivered in a modular, outcome-driven way.
4. Does Bill C‑26 affect businesses with under 1,000 employees?
Yes—indirectly. While Bill C‑26 targets federally regulated infrastructure providers, it also drives new expectations across their vendor ecosystems. Many mid-market firms are already facing increased scrutiny, insurance requirements, and RFP language due to C‑26’s influence.
5. What should a Canadian executive breach-response plan include in 2025?
A strong plan includes a named incident response lead, documented escalation paths, insurance contacts, regulator notification timelines, a legal comms script, and a recovery budget. It should be tested at least annually with executive participation.
6. What are the Cyber Security expectations for Canadian vendors today?
More enterprises and regulated firms are demanding that vendors demonstrate Cyber Security maturity—often via questionnaires, attestations, or audit rights. Canadian SMBs and mid-market firms need to prepare for cyber due diligence to remain competitive and contract-compliant.
