Dec 31
/
Latest News
Korean Air Confirms Data Breach Affecting 30,000 Employees After Third‑Party Hack
Korean Air has confirmed a major data breach affecting approximately 30,000 current and former employees, marking one of the aviation sector’s most significant cybersecurity incidents of the year. The disclosure, made on December 29, 2025, comes just weeks after Asiana Airlines reported a similar compromise involving 10,000 staff records.
According to reporting from Korea JoongAng Daily, the breach did not originate from Korean Air’s internal systems. Instead, attackers infiltrated KC&D Service, a former Korean Air division responsible for in‑flight catering and duty‑free operations. KC&D was spun off and sold to private equity firm Hahn & Company in 2020, though Korean Air still maintains a 20% stake and continues to rely on the company for onboard services. Hackers reportedly accessed KC&D’s enterprise resource planning server, leaking employee names, bank account numbers, and other sensitive information.
Investigators believe the attackers exploited a critical vulnerability in Oracle E‑Business Suite, identified as CVE‑2025‑61882, which allows unauthorized users to bypass authentication and seize control of affected servers. The same flaw was used earlier this year in the breach of Envoy Air, the largest regional carrier operating under American Airlines.
The Cl0p ransomware gang has claimed responsibility for the attack. According to new reporting from Hackread.com, the Russian‑speaking extortion group has been exploiting the Oracle vulnerability since August and has targeted a wide range of high‑value organizations, including Envoy Air, Harvard University, the University of Pennsylvania, The Washington Post, and Logitech. Cl0p has already begun leaking nearly 500GB of Korean Air’s stolen data on the dark web after the affected companies declined to pay ransom demands.
Korean Air stated that customer data, including flight bookings and payment information, was not impacted. Vice chairman Woo Kee‑hong told employees the company is taking the incident “very seriously” and is working to determine the full scope of the exposure. The airline has implemented emergency security patches, severed digital connections with KC&D, and notified the Korea Internet and Security Agency. Employees have been urged to remain vigilant against phishing attempts and other follow‑up scams.
The breach adds to a growing list of major cyber incidents in South Korea this year. Earlier in December, e‑commerce giant Coupang confirmed a breach affecting all 33.7 million of its users, prompting government raids and the resignation of its CEO. In May, SK Telecom revealed that malware had gone undetected in its systems for nearly two years, resulting in the exposure of more than 26 million IMSI identifiers and nearly 10GB of USIM data. With multiple high‑profile attacks in rapid succession, cybersecurity experts warn that South Korea’s critical industries remain prime targets for increasingly sophisticated threat actors.
According to reporting from Korea JoongAng Daily, the breach did not originate from Korean Air’s internal systems. Instead, attackers infiltrated KC&D Service, a former Korean Air division responsible for in‑flight catering and duty‑free operations. KC&D was spun off and sold to private equity firm Hahn & Company in 2020, though Korean Air still maintains a 20% stake and continues to rely on the company for onboard services. Hackers reportedly accessed KC&D’s enterprise resource planning server, leaking employee names, bank account numbers, and other sensitive information.
Investigators believe the attackers exploited a critical vulnerability in Oracle E‑Business Suite, identified as CVE‑2025‑61882, which allows unauthorized users to bypass authentication and seize control of affected servers. The same flaw was used earlier this year in the breach of Envoy Air, the largest regional carrier operating under American Airlines.
The Cl0p ransomware gang has claimed responsibility for the attack. According to new reporting from Hackread.com, the Russian‑speaking extortion group has been exploiting the Oracle vulnerability since August and has targeted a wide range of high‑value organizations, including Envoy Air, Harvard University, the University of Pennsylvania, The Washington Post, and Logitech. Cl0p has already begun leaking nearly 500GB of Korean Air’s stolen data on the dark web after the affected companies declined to pay ransom demands.
Korean Air stated that customer data, including flight bookings and payment information, was not impacted. Vice chairman Woo Kee‑hong told employees the company is taking the incident “very seriously” and is working to determine the full scope of the exposure. The airline has implemented emergency security patches, severed digital connections with KC&D, and notified the Korea Internet and Security Agency. Employees have been urged to remain vigilant against phishing attempts and other follow‑up scams.
The breach adds to a growing list of major cyber incidents in South Korea this year. Earlier in December, e‑commerce giant Coupang confirmed a breach affecting all 33.7 million of its users, prompting government raids and the resignation of its CEO. In May, SK Telecom revealed that malware had gone undetected in its systems for nearly two years, resulting in the exposure of more than 26 million IMSI identifiers and nearly 10GB of USIM data. With multiple high‑profile attacks in rapid succession, cybersecurity experts warn that South Korea’s critical industries remain prime targets for increasingly sophisticated threat actors.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.