Korean Air Confirms 30,000 Employee Records Stolen in Supplier Breach

Korean Air has confirmed that hackers stole personal information for approximately 30,000 current and former employees through a breach at its former subsidiary, Korean Air Catering & Duty-Free (KC&D). The incident marks the second major data breach affecting a South Korean airline in less than a week.

The attackers exploited a vulnerability in Oracle E-Business Suite (EBS) to gain access to KC&D's systems. While KC&D was spun off from Korean Air, it continues to serve as the airline's catering supplier, maintaining access to employee data from their shared operational history.

What Was Stolen

The compromised data includes:

• Employee names
• Bank account numbers
• Contact information
• Employment records for both current and former staff

Bank account exposure is particularly concerning. Unlike email addresses or phone numbers, changing bank accounts is disruptive and time-consuming. Affected employees now face the inconvenience of monitoring for fraudulent transactions or switching accounts entirely.

Korean Air hasn't disclosed when the breach occurred or how long attackers maintained access. The company is reportedly working with cybersecurity firms to assess the full scope and implement additional protections.

Oracle EBS Vulnerabilities

Oracle E-Business Suite has been a recurring target for attackers. The integrated business software platform handles everything from HR and payroll to supply chain management, making it a high-value target. When exploited, EBS vulnerabilities can expose the sensitive operational data flowing through these systems.

Organizations running EBS should review their patch status. Oracle releases quarterly Critical Patch Updates, but many enterprises lag behind on updates due to the complexity of testing changes against customized implementations.

Second Korean Airline Hit This Week

The Korean Air incident follows closely behind a separate breach at Asiana Airlines, which disclosed that information for approximately 10,000 employees may have been compromised. Investigators haven't found evidence linking the two incidents, but the timing raises questions about whether threat actors are specifically targeting South Korean aviation.

Both airlines carry sensitive passenger and employee data, and their operational systems connect to airport infrastructure across Asia. A determined adversary could use employee credentials as a foothold for deeper network access.

Supply Chain Risk on Display

This breach demonstrates why third-party risk management matters. Korean Air spun off KC&D, but the catering company retained access to employee data from their shared history. That data became the attack surface.

Supply chain compromises have become one of the most reliable paths into enterprise networks. Attackers know that large organizations often have better security than their vendors, partners, and subsidiaries. Targeting the weaker link gets results.

For security teams, the takeaway is straightforward: audit data sharing relationships with former subsidiaries and current suppliers. Understand what data they hold, how they protect it, and whether that access is still necessary.

What Affected Employees Should Do

Korean Air employees—past and present—should take immediate precautions:

1. Monitor bank accounts for unauthorized transactions. Set up alerts if your bank offers them.
2. Be suspicious of communications claiming to be from Korean Air or KC&D. Attackers often use stolen data for targeted phishing.
3. Consider account changes if you're particularly concerned. Talk to your bank about fraud protection options.
4. Watch for identity theft beyond banking. Employee data can be combined with other breached datasets.

Why This Matters

Korean Air is a major international carrier and one of the largest airlines in Asia. A breach affecting 30,000 employees represents a significant incident, but the Oracle EBS exploitation method is what security teams should pay attention to.

EBS deployments are common across industries. Many were implemented years ago and have accumulated technical debt that makes patching difficult. The same vulnerabilities that exposed Korean Air's supplier could exist in manufacturing, retail, and healthcare organizations running similar configurations.

The aviation sector specifically has seen increased attention from both criminal groups and state-sponsored actors. Airlines handle passenger manifests, loyalty program data, and operational information that intelligence services find valuable. Employee data provides a starting point for social engineering attacks aimed at more sensitive systems.

South Korea's Personal Information Protection Commission will likely investigate both airline incidents. Under Korean data protection law, companies face penalties for inadequate security measures. Whether KC&D's Oracle EBS configuration met regulatory standards will be part of that review.