Multiple class action lawsuits recently filed in federal court claim an Interior Alaska Native Corporation failed to take reasonable steps to protect personal data from a cyberattack last year.
Court filings show at least four different plaintiffs have lodged a complaint against Doyon, Ltd., in Alaska District Court since mid-June, on behalf of themselves and “all others similarly situated.” A motion to consolidate the cases is now before Alaska District Court Judge Sharon Gleason.
Doyon is a regional Alaska Native corporation based in Fairbanks that operates companies in multiple industries, including utilities, construction and information technology, among others. The for-profit corporation’s website says Doyon has about 20,700 shareholders and employs 1,300 people nationwide.
The lawsuits all contain similar allegations, arguing that Doyon had shoddy measures in place to keep clients, employees, shareholders and their dependents sheltered from a data breach in April of last year.
That breach saw cyberattackers potentially gain access to files with sensitive personal details, like social security numbers and health information.
The lawsuits also allege that Doyon further failed to provide timely notice of the incident. They say the Alaska Native corporation knew of the cyberattack the day after it happened but didn’t inform people affected by the breach until this June, more than a year later.
The complaints conclude that victims now face “imminent risk of future identity theft and financial loss” due to what plaintiffs call Doyon’s “negligent conduct.”
It’s unclear how many people had their data leaked in the cyberattack. Alaska-based attorneys for the plaintiffs did not respond to a message requesting comment, and Cheyenna Kuplack, communications manager for Doyon, said the corporation doesn't comment on ongoing legal matters.
In a June 12 notice posted on its website, Doyon said the hackers used “sophisticated” tools in the April 2024 attack. The notice says that Doyon reported the incident to law enforcement after it happened and brought in outside lawyers and consultants to investigate and assess legal obligations.
The Alaska Native corporation also said it has implemented new data security measures since last year and is offering two free years of credit monitoring to people affected by the cyberattack.
But according to the plaintiffs, that’s not enough. The lawsuits seek additional relief, including financial compensation and a variety of demands relating to Doyon’s future treatment of personal information.
This story was updated to reflect Doyon declining a request for comment.