
Frontier Airlines is hitting turbulence on the ground, as two new federal lawsuits accuse the Denver-based carrier of failing to protect sensitive data in a pair of cyberattacks this spring. The suits claim hackers walked off with personal information from employees and customers in May and June, and that Frontier dragged its feet on telling people what happened, setting up a potential class-action battle in Colorado federal court. Frontier says it is still investigating, while plaintiffs are already pushing for cash damages and long-term safeguards for anyone caught up in the breach.
What The Lawsuits Allege
Both lawsuits were filed on July 15 in the U.S. District Court for the District of Colorado, one by former employee Kimah Beach and the other by Colorado customer Grace Stean, and both ask to be certified as class actions, according to Westword. The complaints say Frontier fell short of Federal Trade Commission data-security guidance and kept people in the dark about exactly what was taken and when. Stean’s filing asks the court to force Frontier to provide at least three years of credit monitoring for everyone in the putative class.
Researcher: Boarding Pass Worked Like A 'Skeleton Key'
Long before the lawsuits landed, independent security researcher BobDaHacker published a technical breakdown in mid-June that painted an unflattering picture of Frontier’s tech defenses. According to the write-up, Frontier’s mobile booking API would spit out a full internal booking record as long as an attacker had a PNR, also known as a record locator, and a passenger’s last name, which are both printed on every boarding pass. The researcher says that the response included unmasked passport numbers, full home addresses, Known Traveler Numbers, and payment details, and that Frontier was first alerted to the problem on March 3, with those findings laid out in a public report by BobDaHacker.
Who’s Behind The Attacks?
The lawsuits point the finger at a group known as Scattered Lapsus$ Hunters, which security experts say borrows tricks from several of the most notorious cybercrime crews operating today. Security firm Picus describes the outfit as a cybercrime “supergroup” that leans heavily on social engineering, help-desk vishing, and high-volume data harvesting. Intelligence provider Dataminr reports that members of the collective have managed to extort hundreds of millions of dollars since 2025.
Frontier's Response And The Next Steps
Frontier, for its part, says it flipped into crisis mode once the incident came to light. The company “initiated our incident response protocols, notified law enforcement and engaged a third-party cybersecurity firm to conduct a comprehensive investigation” and is “in the process of notifying affected individuals,” according to a statement the airline provided to Westword. The complaints, however, say some people did not hear from Frontier until July 9 and July 14, even though the alleged attacks took place in May and June. A judge will now have to decide whether either case can move forward on behalf of a broader class.
Legal Outlook
If a court concludes that Frontier failed to live up to the FTC’s data-security expectations, the airline could be on the hook for monetary damages and court-ordered changes to its security practices. The FTC’s “Start With Security” materials spell out that companies are expected to put reasonable safeguards in place and respond to breaches in a timely way. Any exposure of payment information would also trigger obligations under the PCI Data Security Standard, and guidance from the PCI Security Standards Council notes that incident response plans can require companies to notify payment brands and acquiring banks after a suspected compromise of cardholder data.









