A Korean Air data breach has affected thousands of employees after hackers breached the airline’s supplier, Korean Air Catering & Duty-Free (KC&D).
Besides Korean Air, KC&D serves other companies in Asia and across the world, after spinning off in 2020, when private equity firm Hahn & Company acquired it.
Korean Air data breach impacts 30,000 employees
After discovering the data breach, KC&D notified Korean Air that a cybersecurity incident had compromised the personal information of its employees. Since Korean Air still considers KC&D employees as its own, it took the matter with utmost urgency and issued an internal memo.
“Although this incident occurred within the management domain of an external partner company spun off from us, the company views this matter with the utmost seriousness as it involves the information of our employees,” the memo stated.
According to the nation’s largest airline, the data breach leaked employee information, including their names and bank account numbers. However, other personal details, such as email addresses, phone numbers, or postal addresses, were seemingly unaffected.
“During this incident, personal information (names, bank account numbers) of our employees stored in the company’s ERP system on the affected servers was compromised,” it explained.
According to local news outlets like Korea JoongAng Daily, the data breach compromised approximately 30,000 employee records. However, the airline assesses that its customer records were not affected.
Meanwhile, Korean Air has notified the relevant authorities and claims no evidence suggests that the stolen information has been misused. It also advised impacted employees to be wary of suspicious messages purporting to originate from the company to avoid leaking more personal details, such as credit card information.
“However, to prevent potential secondary damage, all employees are urged to exercise extreme caution regarding suspicious texts or emails requesting transfers impersonating the company or financial institutions, or demanding security card numbers.”
The national air carrier also requested KC&D to conduct a comprehensive investigation and implement the necessary cybersecurity measures to prevent a similar incident in the future.
“We are working to fully understand the details of the breach and have urged KC&D to analyze the incident and prevent any recurrence,” the airline’s official stated.
The airline has also launched an investigation to determine the full scope of the cyber incident and identify all the affected individuals.
“We also plan to further strengthen our personal data protection posture,” they added.
Korean Air data breach linked to the Clop ransomware gang
So far, Korean Air has not attributed the data breach to any hacking group. However, on November 21, 2025, the Clop ransomware gang claimed responsibility for the KC&D breach by listing the supplier on a dark web data leak site and publishing 500GB of the stolen information.
While Clop did not disclose the attack vector, the Russian-speaking ransomware group had compromised over 100 organizations via Oracle’s E-Business Suite (EBS) Applications by exploiting a critical (CVSS v3 9.8) zero-day vulnerability CVE-2025-61882. KC&D was using EBS during the cyber attack.
Organizations compromised by the Clop ransomware group via EBS include Envoy Air (a subsidiary of American Airlines), GlobalLogic, Harvard University, Logitech, the University of Pennsylvania, and The Washington Post.
Another Korean airline, Asiana Airlines, had previously disclosed that hackers had compromised the personal information of 10,000 employees. While possible, no evidence currently suggests that the Asiana Airlines data breach was related to the Korean Air or EBS hacks.
