Alaska Air Group Federal Credit Union Offers 24‑Month Credit Monitoring After Third‑Party Breach Exposes Data of 10,705 Members

**TL;DR** On March 5, 2026 attackers compromised a third‑party IT service provider used by Alaska Air Group Federal Credit Union (AAGCU) and moved laterally into the credit union’s systems, potentially accessing Social Security numbers, financial account details and other sensitive data of 10,705 individuals. AAGCU reported the incident to California and Maine attorneys general on April 17, 2026 and is offering 24 months of free credit monitoring and identity protection through Experian IdentityWorks.

**Context** The breach originated outside AAGCU’s own network. Unauthorized actors first infiltrated the third‑party provider, then used that foothold to reach AAGCU’s internal systems. An investigation found that certain files may have been copied, exposing names, dates of birth, driver’s license and passport numbers, routing numbers, tax identification numbers and account information. Notification letters were mailed to affected consumers on April 16, 2026; the credit union said it has seen no evidence of misuse so far.

**Key Facts** - Approximately 10,705 U.S. individuals were impacted, including eight Maine residents. - The breach was disclosed to the California Attorney General on April 17, 2026 (same day for Maine). - AAGCU is providing 24 months of complimentary credit monitoring and identity protection via Experian IdentityWorks, which includes credit monitoring, a signup credit report, identity restoration specialists, $1 million in identity theft insurance and continued support through the ExtendCare program after the membership ends. - Enrollment requires the activation code from the notification letter, can be completed online or by calling 877‑769‑1112 (Mon‑Fri, 6 a.m.–6 p.m. PT) and must be finished by July 31, 2026.

**What It Means** The incident highlights the risk of supply‑chain compromises where a trusted vendor becomes an entry point for attackers. Organizations should enforce strict vendor security assessments, require multi‑factor authentication for all remote connections, segment networks to limit lateral movement, and monitor for anomalous access patterns using tools aligned with MITRE ATT&CK techniques such as T1078 (Valid Accounts) and T1021 (Remote Services). Defenders should also ensure timely patching of third‑party software and maintain incident‑response plans that include rapid consumer notification and credit‑monitoring offers.

**What to watch next** Regulators may review whether AAGCU’s vendor‑management practices met state data‑protection standards, and any signs of fraudulent use of the exposed data could trigger further consumer‑protection actions.