Korean Air has confirmed that personal information belonging to thousands of its employees was exposed following a cyber incident at Korean Air Catering and Duty-Free, commonly referred to as KC&D. The company disclosed the issue after receiving notification from KC&D that its internal systems had been compromised by an external cyberattack.
KC&D, which provides in-flight meals and duty-free sales services, was separated from Korean Air in 2020 and now operates as an independent entity. Despite this separation, KC&D continued to store certain employee records belonging to Korean Air, which were housed on its enterprise resource planning system. According to internal communications, the exposed data includes employee names and bank account numbers. Korean Air estimates that information related to approximately 30,000 employees may have been affected.
The airline clarified that the incident did not involve passenger or customer data. Korean Air stated that, based on current findings, the breach was limited strictly to employee information stored within KC&D’s systems.
In an internal notice circulated to staff, Korean Air acknowledged that while the breach occurred outside its direct operational control, it is treating the situation with seriousness due to the sensitivity of the information involved. The company noted that it only became aware of the incident after KC&D formally disclosed the breach.
Following the notification, Korean Air said it immediately initiated emergency security measures and reported the matter to relevant authorities. The airline is actively working to determine the full extent of the exposure and identify all affected individuals. Employees have been advised to remain cautious of unexpected messages or unusual financial activity, as exposed personal information can increase the risk of scams and identity misuse.
Korean Air leadership reassured staff that there is currently no evidence suggesting further leakage of employee data beyond what has already been identified. The company also stated that it plans to conduct a comprehensive review of its data protection and security arrangements with external partners to prevent similar incidents in the future.
Although Korean Air has not officially attributed the attack to any specific group, a ransomware operation has publicly claimed responsibility for breaching KC&D’s systems. This claim has not been independently verified by Korean Air. Cybersecurity analysts have noted that the same group has been linked to previous attacks exploiting vulnerabilities in widely used enterprise software, often targeting third-party vendors as an entry point.
Ransomware groups typically operate by stealing sensitive data and threatening public disclosure to pressure victims. Such attacks increasingly focus on supply-chain targets, where indirect access can yield large volumes of data with fewer security barriers.
Korean Air stated that investigations are ongoing and that it will continue cooperating with authorities. The airline added that further updates and support will be provided to employees as more information becomes available.
