Disclaimer: Based upon the findings I made researching Alaska Air Group (ALK)’s spate of account hackings, I now have a short position on the company and stand to profit from a decline in ALK’s share price. Everything that follows is sourced from SEC filings, public social media posts and other public information.

The last few months I have unearthed a host of irregularities at ALK 0.00%↑ Alaska Air Group.

My exhaustive report peppered with technical accounting speak is available here.

Below is an abridged version that will allow all to follow along.

Subscribe if you want to find out what happens next.

Alaska Airlines and an Unexplained 2025

We start on the balance sheet and finish with the customer. 2025 has many mysteries for ALK 0.00%↑ investors.

Four Anomalies That Require Statutory Explanation

We have four balance sheets anomalies sourced directly in the financial statements that show divergence from Alaska’s previous business practises.

These do not appear to have been disclosed to investors and regulators in a manner compliant with accounting standards.

Q2 2025 SEC Filings

One: A 10.4σ Accounting Discontinuity

$180 million of additional loyalty programme liability without corresponding revenue. A significant break from expectations. The other big US airlines’ ratios stay in line.

In simplistic terms, investors have come to expect issuing this much in loyalty points, would also mean $98 million in revenue, with almost 100% margin, thus the missing profit is.curious.

Management have chosen not to disclose to investors the reasons for this.

Two: A Similarly-Sized Jump in Cash Due From BofA

At the same time, liability due from affinity partners (which we we’ll take to be their credit card partner, Bank of America), leapt up by $195 million, 176% growth from Q1 2025.

Three: A Backwards Revision of Cash Due From BofA

In the Q4 2024 10-K filings, the balance due from BofA was $118 million. A disclosure drafted to clearly to not draw attention to this was far away from where the change was made in the statements.

Q3 2025 SEC Filings

Four: The Cash Now Due From BofA Does Not Clearly Arrive

Much of the elevated balance due from BofA has reverted to levels historically understandable, implying cash collection. Overall variance analysis of operational cash flow circumstantially to appear it may not have made it to cash collections.

What is clear however, is that Other Non-Current Assets grew unexpectedly grew by $120 million in the same period the Receivable balance reduced by $129 million. The receivable balance leads investors to believe that cash is imminent, especially from a long-standing partner, who is also an enormous bank.

If indeed a migration to Other Non-Current Assets, from the investor’s perspective, means they would have expected $120 million (33% of 2024 net income) in cash in ~30 days. Instead the only thing all you know about the new asset is there is no expectation of it providing a cash distribution in the next 12 months.

Emerging Customer Behaviour Changes

The same period shows a trend step-change that if sustained, would materially reduce the profitability of the loyalty programme.

Q2 and Q3 2025 Filings

In the calculations laid out in our extensive report, we look at ratios, but it may be easier to describe in terms of percentages. The base period is necessarily unstable, as the different stages of the transactions with Hapwaiian Airlines pass through, beginning with reciprocal use, but moving all the way to today, where there is just a singular loyalty programme.

However, in Q4 2024 just after September 15th when the purchase of Hawaiian Airlines was completed, 12.1% of loyalty programme redemptions were made on Partner airlines. By Q2 2025, that have become 16.7% by Q3. It was now 18.2% of total flights were now being taken by Alaska members on partner airlines.

the precise underlying economics and changes in revenue and profitability are unable to be reliably assessed through secrecy requirements. However, we can see the incremental spend on partner redemptions is nearly $50 million in just two quarters.

Investors must watch Q4 filings for this number with great attention. If it continues to grow at a 72% annualised rate, you should throw your valuation models away as they will need to be re-built based upon much higher redemption expenses.

Alaska’s Members’ Account Thefts are Accelerating

370 member’s accounts of thefts from their loyalty accounts in 2025.

Examine the full database here.

60% were discovered in 3 obscure online communities. Two of which are devoted to Alaska loyalty ultras with a cumulative 105,000 members. The most notable is USCardForum.com, which boasts 30,000 members since inception, is entirely in Chinese, and has a low single digit percent of their discussions about Alaskan Airlines. Yet 41 different members discussexc their crime.

Whilst far from a random sampling, they together have just 135,000 members, strongly indicating the 370 found announcing their thefts is the very tip of an iceberg.

I do not believe the iceberg analogy has any scope for an acceleration, but `103 new thefts were declared in December 2025.

Alaska appears to be uniquely vulnerable to these hacks at a rate of 23x their peer airlines.

Counting The Cost

A more robust analysis, with greater variables appropriate to estimating the full impact of these thefts, to Alaska is made in the full report.

however, to illustrate here the potential costs, if we consider 370 hacks represent just 2% of the total happened given the high percentage of those found in niche forums, then we estimate the price paid to partner airlines is around 0.75 cents a mile. From the hacks observed, we find the average size of theft in miles is 224,861. This gives an expense for hacks at this level of $31.2 million.

never mind regulations of reporting customer hacks that exist for the SEC and local attorney generals. The materiality would compel disclosure at this level.

As much as the accounting argot necessary for much of the main report has subsides briefly, we shall reproduce that section faithfully.

Mode of Loyalty Points Theft

Attack Characteristics

• Target: Partner airlines

• Cabin: Premium

• Timing: <48 hours before departure

• Average theft: 224,861 miles

• Notification muzzling: Notification email switched so member unaware of booking

Repeated Evidence Refuting User Negligence or Credential Stuffing

PIN Bypass: Accounts compromised despite Alaska’s mandatory PIN lock already in place.

Same-Day Repeat Compromise: One account hacked twice in one day, with password change between incidents.

Session Hijacking: HackerNews user reported logging in and was randomly granted access to other customers’ accounts. Four months later, the vulnerability persisted.

Implied PII Data Breach

If thousands of high balance accounts have been breached, this implies that a multiple of the accounts that have been drained must have been accessed to ascertain the points balance within.

Hacked Accounts for Sale

The compromised accounts for sale were seen by NordVPN for sale on the dark web.

Alaska’s Response

The documented incidents have generated observable corporate responses. The nature and timing of these responses raise questions.

Victim documentation reveals standardised response:

1. Miles restored upon identity verification

2. Characterised as “one-time courtesy”

3. Warning: “We will not help you again”

4. Victim’s accounts are sanctioned with telephone-only access to book award miles.

The consistency suggests formal policy designed to meet frequent incidents. One CSR is quoted saying on hacked account victims “she has to do this 3-5 times per day“.

The policy to restrict victim’s accounts can be found back in April 2022 and has been a consistent response since.

Management Commentary

Press coverage of the phenomenon by Fox13 Seattle and KIRO 7 in July and the Seattle Times in November yielded only generic replies from Alaska and no meaningful engagement.

However Alaska VP of Loyalty announced on 7th October 2025 on Reddit that:

“fraud attempts are getting worse almost daily. It’s something we take very seriously, and it has visibility all the way up to our CEO.”

The 23rd June 2025 Hawaiian Airlines cyberattack’s latest reference in Q3 2025’s 10Q was:

“we do not believe the incident had ... a material impact ... The investigation remains active ... unable to determine the full impact [yet]”

After multiple IT outages that grounded flights, Alaska engaged Accenture on 31st October for a “comprehensive audit of its technology systems”. Remarkably the incident was used as rationale to cancel, not postpone, the earnings call.

However the CFO provided the first commentary on the Accenture engagement on 4th December 2025

“we don’t have a systemic architecture failure... Have we just under-resourced ourselves? That’s not what they [Accenture] found.”

“Hygiene” and “[an excess] of innovation” were cited as contributory factors to the outages:

“...launched a brand new loyalty platform... and needed to make a lot of updates to our technology, our apps, our website”

Notably the new platform’s 20th August launch did nothing to inhibit the volume of loyalty points thefts in our collection of hacked accounts.

The direct response on IT infrastructure represents a de facto statement that compromised accounts are not a critical identified issue in the current audit.

The Signalling in a Terms Change

Alaska recently made an alteration to the terms to their loyalty programme, adding a standalone paragraph (archive).

On 11th September 2025, and before, this term was notably absent:

The additional paragraph, the sole non-cosmetic update to the terms, has a clear meaning.

“Due to system or partner issues” - Alaska’s own system flaws are no longer to be blamed.

“Including after posted or redeemed” - refunded miles can now be un-refunded.

“Regardless of member fault” - victims being blameless for account thefts is no longer a reason for reimbursement.

This defensive legal firewall specifically relates to the ability to remove, or not replenish, loyalty points lost by a blameless member through system issues.

The Tarnished Loyalty Programme

In December 2024, Alaska proudly shared some statistics on their loyalty programme:

Everything uncovered in this investigation calls into question the $12 billion valuation ascribed to the loyalty scheme, especially when compared to today’s market cap of $6 billion.

In April 2022, almost 4 years ago, a user described:

”They reset my account, put the miles back in, then said I needed to add a pincode next time or they would not refund the issue in the future.”

The theft and remediation are completely the same then as they are now. Alaska has failed to patch this vulnerability in all of that time.

The only logical reasons for this, is that they won’t or that they can’t.

This fact alone surely makes Alaska Airlines ALK 0.00%↑ uninvestable.

Read the full report here.