In a worrying turn of events for the aviation industry, Korean Air has confirmed that the personal details of roughly 30,000 current and former employees have been stolen. This news, shared on December 29, 2025, follows a similar security problem at South Korea’s Asiana Airlines earlier this month, where 10,000 staff records were compromised.
How did the breach happen?
Korea JoongAng Daily reports that the data was not taken directly from Korean Air’s main systems. Instead, the hackers targeted a company called KC&D Service (Korean Air Catering & Duty-Free).
This company used to be a division of Korean Air but was sold to a private investment group named Hahn & Company in 2020. Despite the sale, KC&D still handles in-flight meals and duty-free goods for the airline, and Korean Air still holds a 20% stake in the business.
“KC&D Service (KC&D)*, an in-flight meal and in-flight sales company that was spun off from our company in 2020 and operates as a separate entity, was recently attacked by an external hacker group. It is understood that during this process, the personal information (names, account numbers) of our employees stored on that company’s ERP server was leaked,” the notice reads.
The attackers, reportedly, broke into KC&D’s ERP server (the main system used to manage company resources), likely by exploiting a vulnerability in a popular business software called Oracle E-Business Suite (EBS).
This specific vulnerability, tracked as CVE-2025-61882, may have allowed hackers to bypass security checks and take control of the server without needing a username or password. The same vulnerability had previously allowed attackers to breach Envoy Air, the largest carrier operating under American Airlines.
Who is Responsible?
This suspicion arises because the infamous digital extortionist group known as the Cl0p gang has claimed responsibility for this data breach. Hackread.com’s recent reporting reveals that Cl0p, a Russian-speaking gang famous for targeting high-value organisations, has been exploiting this Oracle software flaw since early August.
Korean Air is just one of its many victims as Cl0p has used this same method to target organisations worldwide, including Envoy Air (an American Airlines subsidiary), Harvard University, the University of Pennsylvania, The Washington Post, and Logitech.
In this instance, the group has already started posting nearly 500 GB of stolen files on the dark web because the affected companies refused to pay a ransom.
What information was taken?
The stolen data, reportedly, includes very sensitive details like employee names and bank account numbers stored in the company’s resource planning system. While this is a major concern for the staff, the airline has been quick to reassure the public that customer data, such as flight bookings or credit card details, was not affected in this specific incident.
Woo Kee-hong, the vice chairman of Korean Air, sent a personal message to his team explaining that the company is taking the matter “very seriously.”
“Korean Air takes this incident very seriously, especially since it involves employee data, even if it originated from a third-party vendor that was sold off. We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.”
The airline has already finished emergency security updates and cut off digital links with KC&D to stop any more data from leaking. They have also reported the situation to the Korea Internet and Security Agency (KISA), and is now warning employees to be extremely careful about suspicious text messages or emails that might be part of a follow-up scam.
South Korea and Recent Data Breaches
South Korea has been the epicentre of large-scale data breaches and cyber attacks. Earlier in December 2025, Coupang, the country’s alternative shopping giant to Amazon, suffered a data breach in which all of its 33.7 million users had their data stolen. Days later, the company’s offices were raided, and its CEO, Park Dae-jun, had to resign.
In May 2025, South Korean telecommunications giant SK Telecom revealed a malware attack that remained hidden for nearly two years, leading to the leaking of 26.69 million IMSI units and 9.82 GB of USIM data.
