Regional airline SkyWest Airlines is suing two of its former pilots, alleging they hacked into the company’s internal computer system and extracted the private personal information of thousands of coworkers in an effort to unionize fellow pilots.
Regional Airline Sues Two Pilots, Alleging Internal Systems Were Accessed To Harvest Coworkers’ Personal Data
SkyWest Airlines has filed a federal lawsuit against two of its former pilots, accusing them of improperly accessing internal company systems to obtain the personal contact information of thousands of coworkers. SKyWest operates regional service for Alaska Airlines, American Airlines, Delta Air Lines, and United Airlines.
The complaint, filed in U.S. District Court in Utah, alleges that former SkyWest pilots Daniel Moussaron and Vikaas Krithivas accessed protected portions of the airline’s internal employee portal and extracted personal data, including home addresses and cellphone numbers, belonging to nearly 5,000 pilots and flight attendants.
According to SkyWest, the access occurred between August and December 2025 through the company’s internal SkyWest Online (SWOL) system, a portal used by employees for scheduling, payroll, and company communications.
SkyWest claims the pilots “intentionally accessed a protected computer without authorization, or exceeded authorized access,” in violation of the federal Computer Fraud and Abuse Act, as well as breached their employment agreements and fiduciary duties to the airline.
What SkyWest Says Happened
In its filing, SkyWest alleges that the two pilots were able to view employee data fields that were not ordinarily visible to other pilots. The airline claims the information was then used to contact coworkers directly on their personal phones, prompting complaints from employees and triggering an internal investigation.
According to the lawsuit, a SkyWest officer reported receiving a call from an unidentified individual who claimed to have “found a backdoor to the company directory,” a statement the airline cites as evidence that the access was intentional and unauthorized.
SkyWest argues that even if the pilots did not “hack” the system in a traditional sense, they knowingly bypassed role-based access restrictions designed to protect sensitive employee data.
The airline is seeking a jury trial, injunctive relief, and damages, though it has not specified a dollar amount.
The Pilots’ Response: “We Didn’t Hack Anything”
The pilots dispute SkyWest’s characterization of events.
In court filings and public statements, Moussaron has argued that the data was accessed using standard browser developer tools and that the information was already available through the system to which he had legitimate login credentials.
His argument, in essence, is that SkyWest failed to properly secure its own systems and is now attempting to criminalize behavior that exploited poor internal design rather than bypassed security controls.
Krithivas, meanwhile, has said that the access occurred in the context of union organizing efforts and that there was no intent to harm coworkers or misuse their data. He has characterized SkyWest’s lawsuit as retaliatory, coming amid increased labor tensions and pilot dissatisfaction at the airline (SkyWest pilots are not unionized, but the Air Line Pilots Association [ALPA] is aggressively courting pilots to unionize).
Neither pilot has been criminally charged: currently this is a civil lawsuit, though SkyWest does reference potential violations of federal law in its complaint. The pilots says this is a labor matter, with attorney Jonathan Thorne arguing, “The conduct that they’ve accused him of is union organizing activity that’s protected under The Railway Labor Act. He didn’t hack their system, there was no conspiracy here, he didn’t use confidential information. SkyWest had an online directory that provided him access to employees’ contact information that he used as part of union organizing efforts.”
You can review the case docket here.
This Is Really About Access, Not “Hacking”
What makes this case interesting is that it sits in a gray area that airlines, tech companies, and courts have struggled with for years.
The Computer Fraud and Abuse Act was written in 1986, long before modern web-based enterprise systems became ubiquitous. Courts have repeatedly wrestled with the question of whether using legitimate credentials to access information in unintended ways constitutes illegal access, or simply misuse of authorized access.
SkyWest’s position is clear: authorization is defined by intent and role, not by technical possibility. The pilots’ position is equally clear: if the system allowed access without bypassing authentication controls, responsibility lies with the system owner.
That’s quite pertinent to the airline industry, which heavily relies on internal systems that aggregate vast amounts of sensitive employee data. Pilots, flight attendants, and other employees routinely access portals that combine scheduling, training, contact information, and operational tools.
If SkyWest prevails, the case could strengthen airlines’ ability to pursue civil action against employees who use internal tools in ways the company deems inappropriate, even absent traditional “hacking.” If the pilots prevail, it may reinforce the idea that airlines bear responsibility for securing their own systems and cannot retroactively redefine authorization when design flaws are exposed.
My own assessment is that if the pilots signed an NDA not to disclose company information and then did the opposite, even if it was made possible by SkyWest’s poor IT infrastructure, the carrier was justified in terminating both of them. The boast that they “found a backdoor” into the company directory strikes me as particularly damning, if true. Seeking an injunction to prohibit ALPA from using this illicitly-obtained information also strikes me as reasonable on the part of SkyWest.
CONCLUSION
SkyWest has sued two pilots for what it calls “hacking” into its internal systems and then misappropriating that information, framing this as a serious breach of trust and security. The pilots are framing it as an overreaction to a system that exposed data it never should have in the first place.
It’s an interesting case with the added wrinkle that the info was not used for direct pecuniary gain, but to organize workers, which is protected activity under most contexts.
As I see it, the pilots broke no law and should face no civil liability, but also have no grounds for wrongful termination if they knowingly circumvented company systems in contravention of their employment contract.
image: Delta
Salty SkyWest needs to get over themselves. They’re just mad that the pilots attempted to unionize and took advantage of their sh!t IT systems.
In-house ‘union’ (SAPA/SIA) isn’t a real union. Department of Labor sued SkyWest in 2024 over the ‘fake’ union. These crews should definitely form a union for job protection, because in-house associates won’t help them much. It’s sneaky how the planes may say United, Delta, American, or Alaska, but it’s technically the subsidiary. Mainline pilots on all four airlines already have unions (some, like Delta, since 1934!); flight attendants do too, except at Delta, where management (and folks like Tim Dunn) keep tricking them out of doing what would be in their best interests…
Hello Matt. This reminds me of many cases you’ve profiled such as the woman who claimed an FA harassed her for putting a diaper in the 1st class lavatory. I think it was Farah Naz Khan. Whatever happens with them? I just googled and didn’t get a good response (then again, google doesn’t appear to be a 1st rate search engine anymore…)
Anyhoo, from what I read, the challenge will be the following:
1) Did the company have a basic terms-of-use agreement that all employees were required to sign or “click” to define such shenanigans as actionable?
2) Using company resources out-of-scope to contact someone for non “work” related manners is likely a fireable offense.
3) Why didn’t the company press charges? The defense counsel is sure to bring this up.
4) WHAT “damages?” Yes, it’s annoying they pestered some employees but unless someone sued them or there’s an actionable loss, it’s a waste of time for the jury.
“Krithivas, meanwhile, has said that the access occurred in the context of union organizing efforts and that there was no intent to harm coworkers or misuse their data.” I contend than unions inherently harm workers.
While many unions were infiltrated by the mob, the airline unions are a bastion against the rest of the outsourcing and cheap labor immigration woes pushing the west down to the bottom.
Why did the commie get Chernobyl and we got H-1bs? Because the commies got first pick.
for what it’s worth, the CR9 you have as the lead photo is an Endeavor bird
Or that’s what the current registration shows?
Did they breach company Code of Conduct? If they did, there’s not a leg to stand on, I know that in health; at least in Australia; accessing your own medical records without a valid reason is a breach of privacy laws, and can result in a practitioner being sanctioned by their registration authority. I suggest that if the conduct of these individuals prompted complaints from other employees then they’re in the wrong, and were dealt-with appropriately.