Alaska Air Group Credit Union sued over data breach
In early March, hackers stole the personal information of over 10,000 Alaska Air Group Credit Union members. Now, one of those members is suing for her money back - and then some.
In a lawsuit filed Friday in the U.S. District Court for the Western District of Washington, Arizona resident Amanda Stratton, a former employee of Alaska Air Group, accuses the SeaTac-based credit union of allegedly failing to take proper security measures to prevent the data breach.
The credit union is a financial cooperative separate from Alaska Air Group. It provides financial services such as loans and banking to Alaska Air Group employees, retirees and their families.
Since the cybersecurity incident, a number of law firms have signaled their intention to sue.
Washington, D.C.-based Migliaccio & Rathod LLP and California-based law offices of Mark J. Hilliard, who represent Stratton in the lawsuit, jumped ahead. They seek class-action status for the case, which would open it to those who received a notice that their data was compromised as part of the March breach.
Alaska Air Group Credit Union's failure to immediately provide formal notice of the breach to affected customers exacerbated the breach's harm, the lawyers claim in the lawsuit.
Stratton received her notice on April 16, over a month after the data breach, that her personal information was compromised. She's since been inundated with spam messages, according to the complaint.
Her lawyers argue in the lawsuit that Stratton will have to spend considerable time and money to mitigate the harm caused by the breach, which will continue to put her at risk of identity theft and fraud for years.
"If Ms. Stratton had known that (the credit union) would not adequately protect her Private Information, she would not have entrusted (the credit union) with this Private Information," her lawyers wrote.
The lawsuit seeks an unspecified amount of money for class members. Additionally, it wants the credit union to strengthen its data security systems and monitoring procedures, submit to future annual audits of those systems and monitoring procedures, and provide free, ongoing credit monitoring to all class members.
The Seattle Times reached out to Alaska Air Group Credit Union and was provided an excerpt from the notice letter sent to affected customers.
The letter explains that the credit union's third-party information technology service provider experienced a cybersecurity incident.
"We immediately initiated an investigation with the assistance of cybersecurity experts and confirmed our IT environment was resecured…," the statement read.
Stratton's lawyers allege that Alaska Air Group Credit Union cut "corners on security measures that could have prevented or mitigated the Security Breach that occurred" and falsely represented that its security measures were sufficient to protect customers' personal data.
The credit union should have known it would be a target for hackers, the lawyers argue, considering the high-profile data breaches that have hit the financial industry, including Equifax and Capital One customers, over the last decade.
"(Customers) overpaid for a service that was intended to be accompanied by adequate data security but was not," the lawyers wrote.
The credit union is reviewing the potentially affected files to determine whether they contained personal information, the types of personal information that may have been involved, and to whom the information pertains, according to the credit union's notice. Those who receive the notice are entitled to 24 months of free credit monitoring services.
If the company finds that additional customers had their data compromised, it will send out another notice, the letter said.
Copyright 2026 Tribune Content Agency. All Rights Reserved.
This story was originally published May 5, 2026 at 11:12 AM.