Cyber Incident Victim: Korean Air

Korean Air disclosed a data breach affecting approximately 30,000 of its current and former employees after its former subsidiary and current catering supplier, Korean Air Catering & Duty‑Free (KC&D), reported that employee information had been compromised. KC&D, which was originally a division of Korean Air before being spun off and sold to a private equity firm in 2020, informed the airline of the incident according to Korea JoongAng Daily. Korean Air confirmed that hackers had stolen names and bank account numbers from KC&D’s systems, emphasizing that no customer data was exposed in the breach. The airline made the disclosure public on December 31, 2025.

The breach is described as likely connected to a broader Oracle E‑Business Suite (EBS) campaign in which attackers exploited zero‑day vulnerabilities to infiltrate data stored by more than 100 organizations worldwide. Security analysts have linked the campaign to a cluster of the FIN11 threat group, while the Cl0p ransomware group publicly claimed responsibility, adding KC&D to its Tor‑based leak site on November 21, 2025 and subsequently releasing nearly 500 GB of archives allegedly stolen from the company. Other aviation sector victims of the same campaign include American Airlines’ subsidiary Envoy Air, which was among the first confirmed targets. A separate incident involving Asiana Airlines, which reported the possible theft of about 10,000 employee records around the same time, was stated to have no indication of relation to the Oracle EBS effort.

The compromised data consisted of employee names and bank account numbers, while Korean Air emphasized that no customer information was involved in the incident. The airline confirmed the breach, disclosed the approximate number of affected employees, and communicated that customer data remained secure. No additional details regarding specific containment, eradication, or notification procedures were provided in the source articles.