Courts & Lawsuits

Frontier Airlines sued twice for weak cybersecurity after data breaches

Both a former employee and a customer filed lawsuits against the Denver-based airline earlier this week.
Frontier Airlines plane flies through the air
Frontier Airlines was hacked in May and June, according to two lawsuits.

Tomas Del Coro at Flickr

Carbonatix Pre-Player Loader

Audio By Carbonatix

Frontier Airlines got hacked, and now it’s getting smacked with two separate lawsuits.

Both an employee and a customer filed lawsuits against the Denver-based airline on July 15, alleging that the company failed to meet the Federal Trade Commission’s data security guidelines by failing to protect information and to alert potentially affected people when a data breach occurred. Both lawsuits were filed in the United States District Court for the District of Colorado and currently seek class certification.

Frontier declined to speak directly about the lawsuit, but the airline immediately “initiated our incident response protocols, notified law enforcement and engaged a third-party cybersecurity firm to conduct a comprehensive investigation,” according to spokesperson Rob Harris.

“We are in the process of notifying affected individuals and are otherwise complying with all applicable requirements,” he tells Westword.

GET MORE COVERAGE LIKE THIS

Sign up for the This Week’s Top Stories newsletter to get the latest stories delivered to your inbox

Editor's Picks

The incident began in May, when Frontier was attacked by hacker group Scattered Lapsus$ Hunters (yes, that’s the real name). Frontier was then attacked again in June, according to one of the lawsuits, leading to the collection of both employee and customer Personally Identifiable Information (PII).

Held for ransom

Scattered Lapsus$ Hunters is considered a “supergroup” of multiple hacking collectives, including Scattered Spider, LAPSUS$ and ShinyHunters. In addition to its ability to create fantastic names, the group has extorted hundreds of millions of dollars since its founding in 2025, according to Dataminr.

Both lawsuits against Frontier say the company hasn’t publicly announced whether a ransom was presented or paid. They point at a faulty security system and argue that the airline was negligent in protecting both client and employee info.

“[Frontier’s] cyber and data security systems were so completely inadequate in that it allowed cybercriminals, including at least Scattered Lapsus$ Hunters, to obtain files containing a treasure trove of thousands of its employees’ and customers’ highly sensitive PII,” according to the lawsuit on behalf of former employee Kimah Beach.

The complaint filed by Grace Stean, a Frontier customer and Colorado resident, also claims that Frontier saved money by opting for insufficient security systems.

“Instead of providing a reasonable level of security that would have prevented the hacking incident, Defendant instead calculated to increase its own profits at the expense of Plaintiff and Class members by utilizing cheaper, ineffective security measures,” the lawsuit reads.

It also says that a cyberhacker named “bobdahacker” released a report warning that Frontier’s boarding pass was functioning as a “skeleton key” for personal information on March 3, months before the attack.

Frontier, on the other hand, says the security of its systems is “a top priority for Frontier Airlines, and we take this matter very seriously.”

Funky timeline

Frontier flights aren’t the only things that are frequently late, according to the lawsuits. Both allege that the company did not adequately inform potentially affected people about the data breach until a month later.

While one lawsuit claims the breaches occurred in May and June, both lawsuits say the plaintiffs didn’t receive notification about the incidents until July 9 and July 14. Frontier says it immediately followed its protocol as soon as it became aware of the incident, however.

“[Frontier] kept the Class in the dark — thereby depriving the Class of the opportunity to try and mitigate their injuries in a timely manner,” Stean’s lawsuit reads.

Furthermore, Stean’s lawsuit claims that the notification failed to “include in that belated and inadequate notice precisely what specific types of information were accessed and taken by cybercriminals.” Beach’s lawsuit says that leaked information included addresses, Social Security numbers, driver’s license numbers, passport numbers, dates of birth and payment data.

Frontier did not provide information quickly enough for potentially affected people to react, both lawsuits argue.

Along with financial compensation, Stean wants Frontier to pay for credit monitoring for everyone in the class for at least three years.

Frontier “believes that this incident has been contained and has no evidence of continued unauthorized access to Frontier systems in connection with this incident,” the airline says.

A judge will now decide whether the lawsuit is a class action, allowing multiple people to potentially join.

Loading latest posts...