SEATTLE — An Arizona woman has filed a proposed class-action lawsuit against Alaska Air Group Credit Union following a March data breach that exposed the personal information of more than 10,000 members.
As the CU Daily reported here, Alaska Air Group Federal Credit Union disclosed a data breach tied to a third-party IT service provider. The breach originated on or about March 5, 2026, when a vendor providing information technology services to the credit union experienced a cybersecurity incident. Unauthorized actors initially compromised the third-party provider and then leveraged that access to infiltrate the $129.8-million AAGCU’s internal systems, the credit union said.
The lawsuit, filed in the U.S. District Court for the Western District of Washington, alleges the AAGFCU failed to implement adequate cybersecurity protections, the newspaper reported.
Plaintiff Amanda Stratton, a former Alaska Air Group employee, claims the credit union did not take proper measures to prevent the breach and delayed notifying affected members, exacerbating the harm, according to the report.
Class Action Being Sought
The lawsuit, brought by attorneys with Migliaccio & Rathod LLP and the Law Offices of Mark J. Hilliard, seeks class-action status on behalf of individuals whose data was compromised in the breach, the Seattle Times reported.
Stratton said she did not receive notification of the breach until April 16, more than a month after the incident, and has since experienced an increase in spam messages, according to the complaint. Her attorneys argue she faces ongoing risks of identity theft and fraud and will incur time and expense to mitigate potential damage, according to the Times report.
The lawsuit seeks unspecified monetary damages and calls for the credit union to strengthen its cybersecurity systems, undergo annual audits and provide ongoing credit monitoring services to affected members, the report said.
Breach Allegedly Caused by Third Party
In a notice to customers cited by the Seattle Times, the credit union said the breach stemmed from a cybersecurity incident involving a third-party information technology service provider.
“We immediately initiated an investigation with the assistance of cybersecurity experts and confirmed our IT environment was resecured,” the credit union said in the notice, according to the report.
The credit union is reviewing potentially affected files to determine what personal information may have been compromised and has offered 24 months of free credit monitoring to impacted members. It said additional notifications will be issued if more customers are found to be affected.
CU Allegedly ‘Cut Corners’
Attorneys for Stratton allege the credit union “cut corners” on security measures and misrepresented its ability to safeguard member data, the Seattle Times reported, adding that the lawsuit cites prior high-profile breaches, including those involving Equifax and Capital One, as evidence the institution should have anticipated such risks.
Other credit unions that have recently announced data breaches include Georgia Heritage CU, as reported here; Frontwave Credit Union, as reported here, and MetroWest Community Credit Union, as reported here.
One Response
This piece reads less like journalism and more like a press release drafted by plaintiff’s counsel. It uncritically amplifies the allegations of a lawsuit filed by firms that openly advertised their intent to sue before any facts were established — with no meaningful scrutiny of those claims.
The forensic work my team conducted was thorough, professional, and conducted in good faith. The credit union acted promptly to secure its environment and engaged cybersecurity experts immediately. The article’s framing that the organization “cut corners” is a legal allegation, not an established fact, yet it was presented with virtually no counterweight.
Responsible reporting on cybersecurity incidents requires more than reprinting a complaint. It requires context: what security measures were actually in place, what the third-party vendor’s role was, and what the investigation actually found. None of that appeared here.