South KoreaSecurity AffairsKorean Air discloses data breach after the hack of its catering and duty-free supplier
Monday, December 29, 2025
What
Korean Air experienced a data breach impacting approximately 30,000 of its employees after its in-flight catering and duty-free supplier, KC&D, was compromised by an external hacker group. The breach, which involved the leakage of employee names and account numbers from KC&D's ERP server, was claimed by the Clop ransomware group in November 2025, who then published the stolen data. Korean Air, upon learning of the incident, implemented emergency security measures, reported it to authorities, and confirmed that no customer data was affected.
Where
The incident primarily affects Korean Air, South Korea's flag carrier, and its spun-off supplier, KC&D, which operates as a separate entity. The breach exposed data belonging to Korean Air employees.
When
The Clop ransomware group claimed responsibility for the KC&D attack in November 2025, having already leaked the allegedly stolen data. Korean Air officially disclosed the data breach on December 29, 2025, after being informed by KC&D. Clop has been exploiting the Oracle EBS zero-day CVE-2025-61882 since early August 2025.
Key Factors
- •The Clop ransomware group, a prolific Russian-speaking ransomware-as-a-service (RaaS) group known for big-game hunting and double-extortion, claimed responsibility for the KC&D attack and leaked the stolen data on their Tor site.
- •Clop has been actively exploiting a critical Oracle EBS zero-day vulnerability, CVE-2025-61882, since early August 2025, which is a likely vector for the compromise of KC&D's ERP server.
- •The breach specifically targeted an external partner, KC&D, which was spun off from Korean Air in 2020, highlighting the supply chain risk associated with third-party vendors managing sensitive employee data.
- •Korean Air's internal notice confirmed that the leaked personal information included employee names and account numbers, stored on KC&D's ERP server, but explicitly stated that no customer data was compromised.
Takeaways
- →Organizations must conduct thorough security assessments and continuous monitoring of third-party vendors and supply chain partners, especially those handling sensitive employee or customer data.
- →The incident underscores the persistent threat posed by sophisticated ransomware groups like Clop, which actively exploit zero-day vulnerabilities in widely used software to achieve initial access and data exfiltration.
- →Implement robust data segregation and access controls to limit the impact of a breach originating from a third-party, ensuring that critical customer data is not stored or accessible via less secure partner systems.
Opens original article on Security Affairs
