Alaska Air Group Federal Credit Union Breach Exposes Data of Over 10,700 Members

TL;DR **On March 9, 2026, Alaska Air Group Federal Credit Union disclosed a breach affecting over 10,700 members after attackers infiltrated its systems via a compromised third‑party IT provider.**

Context Alaska Air Group Federal Credit Union (AAGCU) serves employees, retirees and families of Alaska Airlines, Hawaiian Airlines, Horizon Air and related affiliates. Founded in 1952, the not‑for‑profit credit union relies on external vendors for certain IT functions, a common practice that can introduce supply‑chain risk.

Key Facts Investigators traced the intrusion to on or about March 5, 2026, when the credit union’s third‑party IT service provider suffered a cybersecurity incident. Attackers used the provider’s access to move into AAGCU’s network, likely leveraging stolen valid credentials (MITRE ATT&CK T1078). After detecting the anomaly on March 9, 2026, AAGCU launched an investigation with external cybersecurity experts and secured its environment. The exposed data included Social Security numbers, account numbers, dates of birth, driver’s license numbers, passport numbers, routing numbers and tax identification numbers. A total of 10,705 individuals across the United States were affected, with eight residing in Maine. Written notifications to affected members began April 16, 2026.

What It Means The breadth of personally identifiable information heightens the risk of identity theft, fraudulent account opening and tax‑related scams. Affected members are advised to monitor credit reports, consider fraud alerts and review account statements for unauthorized activity. A class‑action investigation is underway, which could result in settlements or compensation claims. Regulatory bodies may also scrutinize the credit union’s vendor management practices.\n Mitigations Organizations should enforce multi‑factor authentication for all third‑party accounts, adopt zero‑trust network segmentation, and continuously monitor privileged access for anomalous behavior (MITRE ATT&CK T1059.004). Regularly review and patch known vulnerabilities in vendor‑managed software, referencing advisories such as CVE‑2024‑12345 if applicable. Implement logging and alerting for lateral movement techniques (T1021) and exfiltration over web services (T1567). Conduct periodic tabletop exercises focused on supply‑chain incident response.

What to watch next Expect updates on the ongoing litigation, any regulatory penalties, and whether similar supply‑chain attacks surface against other financial institutions in the coming months.