UPDATE: Korean Air has confirmed a massive data breach, with the personal details of approximately 30,000 current and former employees stolen by the notorious Cl0p gang. This alarming breach, announced on December 29, 2025, poses a significant threat to employee security and follows a troubling pattern of cyberattacks in South Korea’s aviation sector.
The breach was not directly from Korean Air’s main systems but originated from KC&D Service, a company that handles in-flight meals and duty-free goods. Although KC&D was sold to Hahn & Company in 2020, Korean Air still retains a 20% stake in the business. The company reported that the hackers compromised KC&D’s ERP server, targeting a vulnerability in the widely-used Oracle E-Business Suite. This vulnerability, tracked as CVE-2025-61882, allowed hackers to bypass security measures without requiring login credentials.
“KC&D Service was recently attacked by an external hacker group,”
an official statement read, confirming that sensitive employee information, including names and bank account numbers, was leaked.
The Cl0p gang, a Russian-speaking group known for its high-profile attacks, has claimed responsibility for this incident. They have begun releasing nearly 500 GB of stolen files on the dark web after Korean Air and other targets refused to pay ransom demands. This breach is part of a broader trend, with Cl0p previously targeting organizations like Envoy Air and Harvard University using similar tactics.
While the stolen data primarily affects employees, Korean Air has reassured the public that customer information, including flight bookings and credit card details, remains secure. Vice Chairman Woo Kee-hong emphasized the seriousness of the incident in a message to employees, stating,
“We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.”
In response to the breach, Korean Air has implemented emergency security updates and severed digital ties with KC&D to prevent further data leaks. The airline has also reported the breach to the Korea Internet and Security Agency (KISA) and is urging employees to be vigilant against potential follow-up scams, such as phishing attacks.
This incident occurs amid a backdrop of significant data breaches in South Korea, including a recent attack on Coupang, where the personal information of 33.7 million users was compromised. The country has become increasingly vulnerable to cyber threats, raising concerns about the security of personal data across various sectors.
As the investigation unfolds, Korean Air employees and the public are urged to stay informed and alert. This breach highlights the urgent need for enhanced cybersecurity measures in an era where digital threats are rampant and evolving. Stay tuned for further updates on this developing story.
