Korean Air employee discloses a data breach after a hack of its catering and duty-free supplier, KC&D, affecting thousands of staff.
Korean Air suffered a data breach after its in-flight catering supplier Korean Air Catering & Duty-Free (KC&D) was hacked, exposing personal data of ~30,000 employees of Korean Air employees.
Korean Air is South Korea’s flag carrier and one of the largest airlines in Asia, operating passenger and cargo services worldwide. It employs around 18,000–20,000 people globally and serves destinations across multiple continents. In 2024 it carried over 23 million passengers, and in 2025 it has transported more than 16 million passengers so far. The airline operates a large modern fleet and has hubs at Seoul’s major airports, connecting numerous international and domestic routes.
The company posted an internal notice stating that KC&D had informed them of a security breach involving personal data belonging to the airline’s employees, according to sources cited by Korea JoongAng Daily.
Korean Air pointed out that no customer data appears to have been compromised by the cyber incident.
“”KC&D Service (KC&D)*,” an in-flight meal and in-flight sales company that was spun off from our company in 2020 and operates as a separate entity, was recently attacked by an external hacker group. It is understood that during this process, the personal information (names, account numbers) of our employees stored on that company’s ERP server was leaked.” reads the notice. “Our company recently learned of this after receiving the information from KC&D Service. Although this incident occurred within the management scope of an external partner company that was spun off and sold, the company takes this matter very seriously as our employees’ information is involved.”
Korean Air stated that, upon learning of the breach, it implemented emergency security measures, reported the incident to authorities, and is working to identify the scope and affected employees. The airline confirmed no additional employee data has leaked but warned staff to watch for suspicious messages. Further guidance and support will be provided, and security protocols with partners will be fully reviewed to prevent recurrence.
“Korean Air takes this incident very seriously, especially since it involves employee data, even if it originated from a third-party vendor that was sold off,” said Woo Kee-hong, vice chairman of Korean Air, in a message to employees. “We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.”
Korean Air notified the relevant authorities and is investigating the incident to determine the precise scope and targets of the leak.
Korean Air did not attribute the attack to a specific threat actor, however, the Clop ransomware group has claimed responsibility for the KC&D attack in November. The group added KC&D to its Tor data leak site and already leaked the allegedly stolen data.
The Clop ransomware gang has been exploiting the critical Oracle EBS zero-day CVE-2025-61882 since early August, stealing sensitive data from numerous organizations worldwide, including Envoy Air, Harvard University, Washington Post, Logitech, University of Pennsylvania, and University of Phoenix.
Clop (aka Cl0p) is a prolific Russian-speaking ransomware-as-a-service group specializing in big-game hunting and double-extortion.
The Clop ransomware group first appeared on the threat landscape around February 2019, emerging from the TA505 cybercrime group, a financially motivated gang active since at least 2014.
Like other Russia-based threat actors, Clop avoids targets in former Soviet countries and its malware can’t be activated on a computer that operates primarily in Russian.
Operators and affiliates identify high-value targets, steal sensitive data, encrypt networks, then publish stolen files on data-leak sites to pressure victims into paying. Clop exploits zero-days and vulnerable third-party software (e.g., MOVEit, GoAnywhere, Oracle EBS), leverages initial-access brokers and automation, and uses sophisticated evasion and lateral-movement techniques to maximize impact and monetization.
Clop’s victims include Shell, British Airways, Bombardier, University of Colorado, PwC, and the BBC.
The group conducted major campaigns including:
- Accellion FTA (2020–2021): Exploited a zero-day in the file-transfer appliance to steal data from ~100 organizations.
- GoAnywhere MFT (2023): Targeted a flaw (CVE-2023-0669) to compromise over 130 organizations.
- MOVEit Transfer (2023): One of the largest ransomware campaigns in history, impacting hundreds of companies worldwide, including US and European firms, through an SQL injection zero-day (CVE-2023-34362).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
