Korean Air Employee Bank Details Exposed After Hack of Former Catering Unit

When Korean Air employees opened an internal notice on Dec. 29, the warning did not come from a bank or a regulator. It came from their employer, explaining that a former subsidiary—a catering and duty-free company spun off years earlier—had been hacked. On an enterprise server run by that firm sat files with the names and bank account numbers of tens of thousands of Korean Air workers.

Now, the airline said, that information had been exposed in a cyberattack linked to a wider hacking campaign targeting a critical Oracle software flaw.

Korean Air Lines Co. confirmed that personal data on about 30,000 current and former employees was compromised after KC&D Service, its former in-flight catering and onboard sales unit, suffered a breach of an enterprise resource planning (ERP) system. While the airline stressed that no customer information or flight operations were affected, the incident has drawn attention because it ties a flagship carrier to a global exploitation wave of an Oracle E-Business Suite vulnerability and to the Cl0p extortion group.

“This incident occurred within the management scope of an external partner company that was spun off and sold,” Korean Air told employees in the Dec. 29 notice. “However, the company takes this matter very seriously as our employees’ information is involved.”

The case illustrates how legacy data and third-party systems can become the weak link in critical industries, even when core networks are not directly breached.

A breach at a sold-off unit

KC&D, known formally as Korean Air Catering & Duty-Free, was separated from Korean Air and sold to private equity firm Hahn & Company in 2020. Despite the sale, KC&D continued to provide in-flight meals and onboard sales services to Korean Air and maintained an ERP environment that still contained personnel data from the period when it operated as an in-house division.

According to the internal notice and subsequent statements reported in South Korean media, information exposed includes employee names and bank account numbers. Some cybersecurity outlets have said additional contact and employment details were also affected, but Korean Air has not published a full field-by-field list.

The airline said the breach did not involve passenger records. There have been no public reports of impact on flight safety or operational systems, and the compromise appears confined to KC&D’s business applications.

A wider Oracle EBS exploitation wave

The breach emerged weeks after threat intelligence firms and national cybersecurity agencies warned that criminal actors were exploiting a zero-day flaw in Oracle E-Business Suite, Oracle’s flagship ERP platform used by large enterprises to run finance, human resources, supply chain and other core functions.

The vulnerability, tracked as CVE-2025-61882, affects supported Oracle E-Business Suite 12.2 releases. Oracle rated it 9.8 out of 10 on the Common Vulnerability Scoring System and said it allows remote code execution over HTTP without authentication or user interaction. The company issued an emergency security alert and patch on Oct. 4, 2025, saying it was aware the bug was already being exploited in the wild and “strongly recommended” that customers apply fixes immediately.

U.S. authorities moved quickly. The Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog on Oct. 6 and ordered federal agencies using affected Oracle products to patch by late October. National computer emergency response teams in multiple countries also issued alerts, some explicitly warning that the Cl0p ransomware group was abusing the bug.

Security researchers say exploitation of the Oracle E-Business Suite flaw began at least by Aug. 9, 2025. In technical analyses, they describe attackers sending crafted HTTP requests to exposed Oracle EBS endpoints, leveraging a chain of weaknesses to upload malicious templates and execute arbitrary code on the underlying application server. From there, intruders can query databases that store HR, payroll and other sensitive records and quietly exfiltrate large volumes of data.

The campaign has hit a broad mix of organizations. Envoy Air, an American Airlines subsidiary, confirmed in October that it was affected by an Oracle-linked hacking operation. Security firms and dark web monitoring services have identified universities, media companies, manufacturers and industrial firms among those listed on extortion sites claiming Oracle-related breaches.

KC&D named on Cl0p leak site

KC&D is one of those victims. Around Nov. 21, 2025, the company’s name appeared on a Tor-based leak site used by the Cl0p group, according to threat intelligence reports. The site later published roughly 500 gigabytes of compressed data that Cl0p claimed to have stolen from KC&D systems.

Korean Air’s notices to staff do not name Oracle, the specific vulnerability, or Cl0p. They refer instead to an “external hacker group” and an attack on KC&D’s ERP server. However, security firms tracking the Oracle EBS exploitation wave say the KC&D incident aligns with the same campaign, citing the timing, victim profile, use of Oracle E-Business Suite and the appearance of KC&D on Cl0p’s leak site. They assess the connection with what they describe as medium confidence.

In a statement reported by local outlets, Korean Air vice chairman Woo Kee-hong said the airline was “focusing all our efforts on identifying the full scope of the breach and who was affected” and had implemented “emergency security measures” in cooperation with KC&D. The company said it had notified relevant South Korean authorities.

Legal and practical fallout

Under South Korea’s Personal Information Protection Act, organizations that handle personal data must put in place technical and administrative safeguards and notify regulators and affected individuals of certain breaches. The law applies not only to the company that directly stores the data, but also to entities that share employee information with service providers.

In this case, KC&D operated the compromised system and is expected to face scrutiny as the immediate personal information controller. But regulators may also examine Korean Air’s oversight of vendors and how it governed employee data after selling the catering unit, including whether data that was no longer necessary for operations should have been deleted or anonymized.

The exposure of bank account numbers, in particular, raises the stakes for affected employees. While account numbers alone are not always sufficient to move money, they can support fraudulent withdrawal attempts, targeted phishing, or social engineering of financial institutions. In practice, many workers may feel pressure to monitor their accounts more closely or change salary deposit details, a process that can be time-consuming and disruptive.

Korean law allows victims of data breaches to seek civil damages for material losses and emotional distress. Previous court rulings have sometimes granted compensation even where no direct financial harm was demonstrated, although typical individual awards have been modest. Korean Air has not publicly detailed what support, if any, it will offer employees beyond notification and guidance.

A supply-chain lesson for critical industries

The incident also underscores how attackers increasingly bypass hardened perimeter defenses by exploiting widely used third-party platforms and the extended web of suppliers, contractors and former subsidiaries. In recent years, Cl0p has been linked by law enforcement and security agencies to mass exploitation of file transfer and collaboration tools, including Accellion’s File Transfer Appliance, Fortra’s GoAnywhere managed file transfer product and Progress Software’s MOVEit Transfer service.

In each case, attackers found a critical vulnerability in software deployed across hundreds or thousands of organizations, used it to steal data at scale and then extorted victims by threatening to publish stolen files.

The Oracle E-Business Suite campaign appears to follow the same pattern. For Korean Air, the weak point was not a passenger reservation system or flight operations network, but an aging ERP environment at a business that technically no longer belonged to the airline.

As investigators continue to analyze what was taken and regulators weigh potential responses, the episode offers a stark reminder to large organizations: the security perimeter now extends far beyond their own servers and data centers. Sensitive information can linger for years in systems controlled by partners and divested units—and when those systems become targets in global hacking campaigns, the consequences land back on the employees whose data was left behind.