Cyber Incident Victim: Korean Air Catering & Duty-Free
Date:
Nov 2025
Location:
South Korea
Summary
Korean Air disclosed that hackers stole personal information of about 30,000 current and former employees from its former subsidiary Korean Air Catering & Duty‑Free, which was compromised in an Oracle E‑Business Suite attack. The breach exposed names and bank account numbers while customer data remained unaffected, and the catering firm was later listed on a ransomware group's leak site after refusing to pay. This incident is part of a broader campaign affecting multiple organizations across industries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Korean Air Catering & Duty‑Free (KC&D) was originally a division of Korean Air before it was spun off and sold to a private equity firm in 2020, after which it continued to provide catering and duty‑free services to Korean Air and many other airlines across Asia and beyond. In late 2025 KC&D informed Korean Air that information belonging to the airline’s employees had been compromised, prompting Korean Air to disclose a data breach affecting roughly 30,000 current and former employees. The compromised data included names and bank account numbers, while Korean Air explicitly stated that no customer data was exposed in the incident. The breach was linked to the broader Oracle E‑Business Suite (EBS) campaign that exploited zero‑day vulnerabilities in the enterprise management software to infiltrate more than 100 organizations.
The Oracle EBS campaign has been attributed to a cluster of the FIN11 threat group, with the Cl0p ransomware group publicly claiming responsibility and posting victim names on its Tor‑based leak site. KC&D was added to the Cl0p leak site on November 21, 2025, and the attackers subsequently released nearly 500 GB of archives containing files allegedly stolen from the company. Besides KC&D, the campaign hit dozens of other major organizations, and within the aviation sector the American Airlines subsidiary Envoy Air was identified as one of the first confirmed victims. The disclosure of the Korean Air breach came just days after Asiana Airlines reported a separate incident in which approximately 10,000 employee records may have been stolen, although there is no indication that the Asiana event is related to the Oracle EBS campaign.
Korean Air confirmed that hackers had stolen the information of about 30,000 of its employees from KC&D and communicated that customer data remained unaffected. The airline said that KC&D had notified it of the compromise, and that the stolen data consisted of employee names and bank account details. Korean Air’s public disclosure emphasized that the breach was limited to employee records and did not involve any passenger or customer information. The statement concluded with the airline’s acknowledgment of the incident and its confirmation that the data exposure stemmed from the Oracle EBS attack on its former catering subsidiary.