ALK Accounted
BAKED ALASKA
The 10-Sigma Anomaly: Undisclosed Cybersecurity Crisis and $120M Unexplained Balance Sheet Movements at Alaska Air Group ($ALK)
16 December 2025
Download the Full Report.
DISCLAIMER: The author holds a short position in Alaska Air Group (ALK) and stands to profit from a decline in the share price. This report represents analysis of publicly available information, including SEC filings, public financial data, and social media documentation. It constitutes opinion, not investment advice. Management may have information not apparent from public disclosures that differs from the interpretations presented here. Management’s response would be welcomed.
EXECUTIVE SUMMARY
Forensic analysis of Alaska’s Q2/Q3 2025 financial statements identifies a discrete, one‑quarter break in loyalty programme contract‑liability economics (the 10.40σ issuance-to-revenue anomaly) that coincides with (i) a $195M spike in amounts due from affinity card partners and (ii) an apparent $120M migration into “Other Non‑Current Assets” the following quarter without disaggregated explanation.
These patterns are consistent with either (a) a material change in loyalty programme estimates/allocations or partner settlement terms, or (b) a presentation / classification / collectibility issue within contract balances and partner receivables. In either case, current public disclosures do not enable investors to reconcile the movement
Simultaneously, Alaska is experiencing a systematic cybersecurity failure leading to widespread theft of members’ mileage (aka Atmos) accounts, which remains unchecked as of publication.
The two discoveries may be related. If the scale of the thefts approaches our estimates, this could represent a material expense that is not clearly identifiable in Alaska’s SEC filings..
Three Independent Data Sets, One Conclusion
1. The 10-Sigma Accounting Anomaly
In Q2 2025, Alaska’s loyalty issuance-to-revenue ratio deviated 10.40 standard deviations (Appendix A.3 for methodology; Workbook A:Sch3 for calculation) from its historical baseline. A magnitude far beyond peer airlines’ comparable ratios. The ratio immediately reverted in Q3 2025, confirming a discrete anomalous event.
2. The Undisclosed Balance Sheet Reclassification
A $195M quarter‑on‑quarter increase in “Amounts due from affinity card partners” (from $111M to $306M) coincides with the loyalty liability issuance anomaly. In Q3, the balance declines by $129M while “Other Non‑Current Assets” increases by $120M, with no disaggregated narrative identifying the nature of the movement, whether it represents cash collection, reclassification to a long‑dated receivable/contract asset, or another asset category.
The Chain of Events: Liabilities were issued significantly below historical allocation patterns (evidenced by the 10.40σ revenue anomaly); the resulting receivable spike’s magnitude was reduced via a mid-year retroactive reclassification; and the uncollected balance appears to have been reclassified to non-current assets without disclosure.
Decision Tree: Based on the published financial statements, at least one of the following must be true:
Alaska experienced a material change in loyalty accounting estimates or allocation judgments (e.g., SSP/breakage/PO allocation), which would typically require interim-period explanation of the nature and effect; or
Alaska experienced a material change in affinity partner settlement terms / collectibility / classification (e.g., extended terms, dispute, contract-asset conditionality), which would typically require clear presentation and liquidity discussion; or
Alaska incurred a material issuance of loyalty obligation without corresponding consideration (e.g., mass reinstatements/customer credits), which would require an identifiable offset in revenue or expense; or
The reported presentation does not faithfully depict the underlying transaction flows and requires correction.
Management can resolve this in a single disclosure by providing a rollforward and classification bridge for the affected contract balances and affinity receivables.
3. The Cybersecurity Crisis at 24x Peer Rate
Analysis of public forums documents 265 documented account compromises in 2025 (App. D), Alaska’s normalised incident rate is 24 times higher than peer airlines. A statistically significant $45M excess in partner airline redemptions aligns with established fraud underreporting rates (App. B) implying a total of 26,500 total victims producing an estimated direct cost of $43M. A convergence that transforms circumstantial evidence into a quantified correlation.
Estimated Financial Exposure
App. F; WB A: Sch7
Materiality Context
THE 10.40σ ANOMALY
The Metric
The issuance-to-revenue ratio tracks loyalty liability created relative to revenue recognised. In a mature programme with stable contract economics, this ratio exhibits minimal variance.
The Data
For 11 quarters (Q3 2022 – Q1 2025), the ratio was stable: mean 1.883, standard deviation 0.083.
In Q2 2025, the ratio spiked to 2.743.
Source: Alaska Air Group Q2 2025 10-Q, Note 3: Revenue
The ratio reverted to 1.87 in Q3 - confirming a discrete event. If the baseline ratio had held, expected issuance would have been $396M. The $180M excess requires explanation.
One mechanism that can increase loyalty contract liability without contemporaneous “loyalty programme other revenue” is issuance without consideration (e.g., reinstatements/customer credits following account compromise or operational correction). However, if this is the explanation at the observed scale, it necessarily implies a corresponding offset in an identifiable income statement line (contra‑revenue or expense) and would be expected to be explainable through interim disclosures. (See Appendix A.8.)
Peer Comparison
*Source: Company 10-Q filings. App. A.4 for peer comparison methodology
The anomaly is unique to Alaska. No industry-wide factor explains the deviation.
THE BALANCE SHEET TRAIL
Step 1: The Receivable Spike (Q2 2025)
The Q2 increase in “Amounts due from affinity card partners” (+$195M) is similar in magnitude to the ~$180M “excess” loyalty contract liability creation implied by the issuance-to-revenue anomaly. This pairing suggests the anomaly likely flowed through the affinity channel rather than being a standalone loyalty accounting artifact.
Under ASC 606, affinity arrangements typically create (i) a receivable/cash flow from the partner and (ii) recognised “loyalty programme other revenue” alongside (iii) a contract liability for the portion of consideration allocated to future travel. The observed quarter shows an outsized liability creation relative to recognised loyalty other revenue, which is difficult to reconcile without a material change in allocation estimates/terms or an issuance event not supported by contemporaneous consideration.
Step 2: The Reclassification (Q3 2025)
The receivable dropped by $129M in Q3. If this represented straightforward cash collection, the cash flow statement would be expected to evidence a corresponding operating cash inflow associated with receivable movements. Appendix A notes that Q2 reflected a ~$171M operating cash use tied to receivable movements, whereas Q3 does not evidence a comparably clear reversal.
Instead, “Other Non‑Current Assets” rose by $120M, with no disclosure describing the nature of that increase.
Step 3: The Retroactive Revision
Alaska revised its 31 December 2024 affinity receivables from $118M to $176M - a 49% ($58M) increase - characterised as “immaterial.”
The magnitude and nature of the $58 million adjustment would ordinarily prompt a SAB 99 style materiality assessment. Such an assessment considers not only quantitative magnitude, but also qualitative factors including the nature of the item, its timing, the circumstances giving rise to the adjustment, and whether it masks trends or affects compliance with covenants or other metrics. The issue is therefore not whether a percentage threshold is crossed, but whether the adjustment is material in context.
Even if total receivables were unchanged, a retroactive reclassification that materially alters the apparent growth rate of the same line item that spiked in the anomaly quarter is qualitatively material to trend analysis and warrants clear explanation.
The reclassification occurred in the Q2 10-Q filing (August 2025) - after the Q2 receivables spike to $306M, not during the annual audit (February-March 2025). The timing raises questions about whether the reclassification had the effect of reducing the apparent magnitude of the Q2 spike: without revision, the increase would have been 159% ($118M → $306M); with revision, it was 74% ($176M → $306M).
The Affinity Partner Settlement Question
The balance sheet pattern creates a narrow set of explanations that are observable and falsifiable under GAAP:
Cash collection: If the Q3 decline reflects collection, management can reconcile cash receipts from affinity partners to operating cash flow and working capital movements.
Extended terms / long‑dated receivable: If payment terms extended beyond one year, the balance should remain clearly identifiable as a receivable (current vs noncurrent) with discussion of liquidity effects and any significant financing component.
Contract asset conditionality: If collection became conditional on future performance/events, the balance should be described as a contract asset with disclosure of the nature of the conditionality.
Collectibility / dispute: If collectibility became uncertain, management should explain the change in risk and the accounting consequences.
The current filings do not describe which of these explains the $120M migration into “Other Non‑Current Assets.”
A detailed exploration of the null-hypothesis can be found in Appendix A.8
THE CYBERSECURITY CRISIS
24x Peer Incident Rate
Systematic review of public forums verifiably identified 265 account compromises in 2025 up to November 30th 2025 (WB B).
Alaska’s rate is 24 times higher than the aggregate weighted average of peer airlines. The below table was compiled using a controlled independent methodology principally on Reddit to scholastically compare the frequency of mileage thefts.
The Q3 Surge
Elevated incidents of hacked accounts continue with 39 recorded in November 2025.
Attack Characteristics
Target: Partner airlines (Qatar Airways dominates victim accounts)
Cabin: Premium (Business/First)
Timing: <72 hours before departure
Average theft: 217,831 miles
Notification muzzling: Many victims report the usual email notification, and receipt, was absent
Thefts involve cash expenses for Alaska for the reimbursement they must provide partner airlines.
Repeated Evidence Refuting User Negligence or Credential Stuffing
PIN Bypass: Accounts compromised despite Alaska’s mandatory PIN lock already in place.
Same-Day Repeat Compromise: One account hacked twice in one day, with password change between incidents.
Session Hijacking: HackerNews user reported logging in and was randomly granted access to other customers’ accounts. Four months later, the vulnerability persisted.
Implied PII Data Breach
If thousands of high balance accounts have been breached, this implies that a multiple of the accounts that have been drained must have been accessed to ascertain the points balance within. We can only speculate how many hundreds of thousands of accounts have been accessed. These accounts may hold:
Passport numbers
Date of Birth
Address
TSA traveller redress numbers
Family including Children’s PII
Suggestion the Scale of Thefts Could Be Demand-Driven
A recent blog post by NordVPN (archive) showed Alaska miles for sale on the dark web at the astonishingly low pricing:
One way long haul business class flights can be bought for as little as $35.
This level of pricing begs the question that the number of travellers willing to travel under their real name on stolen points could be the inhibition on the number of accounts compromised and drained.
If this theory holds, there is no upper bound on the number of accounts accessed or waiting to be stolen from.
Implied Impunity
The 265 identified cases manifestly indicate 1000s that were not.
58 of the accounts reference the victim contacting Alaska prior to the flight’s boarding. Separately, of the flights where the origin was identified (38 cases), 39% were in the USA. For the destination (42 cases) it was 38%.
These statistics imply detainments in the 100s. So where is news of them? Surely if Alaska goes as far to say to a Titanium (highest tier) member:
“If we find out this was you, we will peruse [sic] prosecution“
Then they would have no trepidation in apprehending the actual thieves and prosecutions would be in the public domain. One would expect Alaska to amplify them to obliterate demand for the illicit tickets and thus the motivations for the hackers.
Were they reported? Did the tickets even get cancelled? Were TSA or CBP advised of any incoming foreign nationals arriving using fraudulent tickets?
THE UNIFIED THEORY: MATCHING THE DOLLARS
The Financial Statement Anomaly
Q2 and Q3 saw notable altered behaviour in partner redemptions.
Our statistical analysis in the Appendix enumerates what is visually apparent and takes account of any post-merger dynamic shifts to identify a $45M delta from expected partner redemptions in relation to those on Alaska’s fleet.
Bottom-Up: The Fraud Estimate
The accounts of stolen points are temporally backwards-looking by default. As we show, statistical predictions of the total number of accounts is subject to a much wider range of potential outcomes, but a convergence of these analyses is notable.
The Convergence
This convergence is suggestive but should be interpreted with caution given the wide confidence interval on the bottom-up estimate.
However, two independent approaches - social media documentation and SEC filings - converge on similar figures. In my opinion, this alignment is unlikely to be coincidental.
THE ALASKA RESPONSE
The documented incidents have generated observable corporate responses. The nature and timing of these responses raise questions.
Victim documentation reveals standardised response:
Miles restored upon identity verification
Characterised as “one-time courtesy”
Warning: “We will not help you again”
Victim’s accounts are sanctioned with telephone-only access to book award miles.
The consistency suggests formal policy designed to meet frequent incidents. One CSR is quoted saying on hacked account victims “she has to do this 3-5 times per day“.
The Terms Change in Apparent Response
Alaska very recently changed the terms to their loyalty program with just one non-immaterial alteration, the addition of a standalone paragraph (archive). As recently as 11th September 2025 the following aggressive addition was absent:
“Alaska Airlines may deny, revoke, or adjust Atmos Rewards points... if determined to have been granted in error, including due to system or partner issues, regardless of member fault.”
“Due to system or partner issues” - Alaska’s own system flaws are no longer to be blamed.
“Including after posted or redeemed” - refunded miles can now be un-refunded.
“Regardless of member fault” - victims being blameless for account thefts is no longer a reason for reimbursement.
As recently as 11 September this paragraph was completely absent. This defensive legal firewall specifically relates to the ability to remove, or not replenish, loyalty points lost by a blameless member through system issues.
Management Commentary
Press coverage of the phenomenon by Fox13 Seattle and Kiro7 in July and the Seattle Times in November yielded only generic replies from Alaska and no meaningful engagement.
However Alaska VP of Loyalty announced on 7th October 2025 on Reddit that “fraud attempts are getting worse almost daily.
The 23rd June 2025 Hawaiian Airlines cyberattack’s latest reference in Q3 2025’s 10Q was:
_”we do not believe the incident had ... a material impact ... The investigation remains active ... unable to determine the full impact [yet]” _
After multiple IT outages that grounded flights, Alaska engaged Accenture on 31st October for a “comprehensive technology audit”. Remarkably the incident was used as rationale to cancel, not postpone, the earnings call.
However the CFO provided the first commentary on the Accenture engagement on 4th December 2025
“we don’t have a systemic architecture failure... Have we just under-resourced ourselves? That’s not what they [Accenture] found.”
‘Hygiene’ and ‘innovation’ were cited as contributory factors to the outages:
“...launched a brand new loyalty platform... and needed to make a lot of updates to our technology, our apps, our website”
Notably the new platform’s 20th August launch did nothing to inhibit the volume of loyalty points thefts in our collection of hacked accounts.
The direct response on IT infrastructure represents a de facto statement that compromised accounts are not a critical identified issue in the current audit.
What Can and Cannot Be Concluded
Established: Amendment exists, protocol exists, timing correlates with incidents.
Not established: Whether senior management understood scale; whether amendment was specifically responsive to fraud.
The circumstantial pattern is suggestive. Management is best positioned to clarify.
REGULATORY EXPOSURE
Department of Transportation
Alaska’s CEO personally signed a binding agreement with DOT on 14 September 2024 as a condition of the Hawaiian Airlines merger approval. Section III.G.1.b explicitly prohibits Alaska from taking actions that would “impose new limits on access, use, redemption, or validity” of miles.
Alaska’s practices appear to be inconsistent with this binding commitment:
Telephone-only booking restrictions imposed on breach victims constitute “new limits on access” - members must call during business hours (Monday-Saturday), wait average 100 minutes, and receive only one-hour account unlocks.
“Regardless of member fault” revocation clause added between 11 September and 29 November 2025 permits Alaska to “deny, revoke, or adjust points... due to system or partner issues, regardless of member fault” - directly authorising the devaluation the DOT agreement prohibits.
Enforcement mechanisms available:
49 U.S.C. § 46301: Civil penalties up to $37,377 per violation per day
Agreement Section VI: DOT may pursue enforcement through federal court
Each affected member constitutes a separate potential violation
SEC (Financial Reporting)
10.40σ loyalty issuance anomaly unexplained in Q2 10-Q filing
$120M moved to non-current assets in Q3 with no disclosure of nature or collectibility
$58M retroactive reclassification in Q2 10-Q (post-spike) reduced apparent receivables increase from 159% to 74%
Washington State Attorney General
RCW 19.255.010 requires breach notification within 30 days
Likely small proportion of 265 hacks announced, and attack vector indicates that would be a small proportion of total accounts
No public notifications identified
Precedent: Blackbaud multi-state settlement: $49.5M
FINANCIAL DEPENDENCY AND STRATEGIC RISK
The Programme’s Centrality
At Alaska Investor Day on 10 December 2024, management disclosed:
The $2.2B cash figure attracts a margin we can estimate from its disclosures from Avianca (50% margin) and United (34% shown in 2020 Chapter 11). It likely delivers over $1B of operating cash flow on total net profit of $395 million
The loyalty plan generates cash equivalent to the airline’s total operations.
The $2B Credit Facility
The loyalty plan secures a $2B facility with Bank of America. Standard provisions include:
Collateral maintenance requirements
Material adverse change clauses
A 24x peer breach rate and functional disabling of online utility may constitute material impairment. Covenant implications cannot be assessed without facility documentation, but warrant investor attention.
Strategic Risk Vectors
All these anomalies relate directly to this part of Alaska’s business. Loyalty mile issuance, receivables from partners, members having miles stolen and accounts restricted.
Accounting Integrity: If the issuance-to-revenue ratio is broken, reported economics may not reflect reality.
Partner Confidence: The receivable non-collection raises questions about the Bank of America relationship.
Customer Trust: Victims are Alaska’s best customers (high-balance accounts). Permanent restrictions degrade utility for members who generate the most value.
Programme Currency: A loyalty programme functions as private currency. Question marks on the integrity of the supply of loyalty points have repercussions on its value, just like real currencies.
Ongoing Nature
These concerns are not historical. Incidents continue. 2FA remains unavailable. Each day without remediation accumulates additional exposure.
CONCLUSION
Summary of Findings
10.40σ accounting anomaly - unprecedented, unique among peers
$120M reclassified without disclosure
$58M retroactive reclassification characterised as “immaterial”
26,500 estimated fraud victims at 24x peer rate
$43M/$45M convergence between incident estimate and financial anomaly
Terms amendment shifting liability to customers
Near-Term Catalysts
Publication of this analysis
Q4 2025 / FY2025 audit scrutiny (February 2026)
Regulatory inquiry (SEC, DOT, Washington State AG)
Management Response Requested (Specific Reconciliations)
Provide a rollforward of loyalty programme contract liabilities for Q2 2025 that separately quantifies: partner-sold point issuances, member-earned issuances, reinstatements/adjustments, breakage/estimate changes, and redemptions.
Provide a schedule of “Amounts due from affinity card partners” by counterparty and by aging/settlement timing (current vs >12 months), including cash receipts by quarter.
Provide a rollforward of “Other Non‑Current Assets” between Q2 and Q3 2025 identifying the component(s) driving the $120M increase, and whether any portion represents reclassified partner receivables/contract assets.
Explain the nature of the retroactive revision to 12/31/2024 affinity receivables, including: what was reclassified, why it was identified in Q2 (not during the annual audit), and the impact on comparability/trend.
State whether any material changes were made in Q2 2025 to loyalty programme SSP/breakage/fulfilment-cost estimates or to affinity partner contract terms, and quantify the income statement and balance sheet effect.
Investment Conclusion
The accounting anomalies cannot be explained by commercial movements that do not merit disclosure. The cybersecurity crisis is undisclosed. The two phenomena correlate in timing and magnitude.
These concerns are not reflected in current valuation. Until management provides adequate explanation, Alaska Air Group shares face material downside risk.
APPENDIX
APPENDIX A: ACCOUNTING METHODOLOGY INC. NULL HYPOTHESIS TESTING
APPENDIX B: INCIDENT SIZING METHODOLOGY
APPENDIX C: COMPARATIVE ANALYSIS METHODOLOGY
APPENDIX D: HACKS DATABOOK COMPILATION METHODOLOGY
APPENDIX E: UNDERSTANDING THE MILEAGE PLAN: AN ACCOUNTING PRIMER
APPENDIX F: FINANCIAL EXPOSURE METHODOLOGY
APPENDIX G: INDIVIDUAL MILEAGE THEFTS
WORKBOOK A: DATABOOK: SOURCE DATA AND CALCULATIONS
WORKBOOK B: DATABOOK: HACK INCIDENTS
ABOUT THE AUTHOR
Tommy Caton was co-founder, Chief Revenue Officer, and Chief Financial Officer of travel data analytics firm AirDNA from 2015 to 2022. He holds an MBA from the Kellogg School of Management and worked for four years in KPMG’s Corporate Finance division. This report is all his own work.
The author is not a professional short seller. This analysis originated from noticing irregularities in publicly available information, which led to taking a short position in Alaska Air Group. Prior to this, the author’s portfolio consists predominantly (95%) of diversified funds and just one individual stock.