Korean Air Employee Data Exposed in Cl0p Supply-Chain Breach
Korean Air confirmed a data breach affecting approximately 30,000 current and former employees after a supply-chain attack on its catering and duty-free subsidiary, Korean Air Catering & Duty-Free (KC&D). The incident stemmed from a critical vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), which the Cl0p ransomware group exploited to steal and leak nearly 500 GB of archives.
The exposed data includes full names and bank account numbers, heightening risks of identity theft and financial fraud. Other personal details, such as emails or addresses, were reportedly not compromised. KC&D was added to Cl0p’s leak site on November 21, following a pattern similar to the group’s 2023 MOVEit attack, which impacted hundreds of organizations worldwide.
The breach mirrors the MOVEit incident in scale, with dozens of global entities—including Envoy Air, Harvard University, Schneider Electric, and Barts Health NHS Trust—confirming exposure via the same EBS vulnerability. Oracle released a patch in early October after companies began receiving extortion demands from Cl0p, but the damage had already spread.
Cl0p, a Russian-linked ransomware group, has claimed responsibility for both the EBS and MOVEit attacks, targeting high-profile victims like Shutterfly, Procter & Gamble, and Community Health Systems. The group’s tactics underscore the growing threat of supply-chain attacks on enterprise software.
Korean Air cybersecurity rating report: https://www.rankiteo.com/company/korean-air
Korean Air cybersecurity rating report: https://www.rankiteo.com/company/korean-air
Schneider Electric cybersecurity rating report: https://www.rankiteo.com/company/schneider-electric
"id": "KORKORSCH1767123879",
"linkid": "korean-air, korean-air, schneider-electric",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '30,000 current and former '
'employees',
'industry': 'Aviation',
'location': 'South Korea',
'name': 'Korean Air',
'size': 'Large',
'type': 'Airline'},
{'industry': 'Hospitality, Retail',
'location': 'South Korea',
'name': 'Korean Air Catering & Duty-Free (KC&D)',
'type': 'Catering & Duty-Free Services'},
{'industry': 'Aviation',
'location': 'United States',
'name': 'Envoy Air',
'type': 'Airline'},
{'industry': 'Education',
'location': 'United States',
'name': 'Harvard University',
'type': 'Educational Institution'},
{'industry': 'Education',
'location': 'South Africa',
'name': 'University of Witwatersrand',
'type': 'Educational Institution'},
{'industry': 'Energy, Automation',
'location': 'France',
'name': 'Schneider Electric',
'type': 'Corporation'},
{'industry': 'Industrial Automation',
'location': 'United States',
'name': 'Emerson',
'type': 'Corporation'},
{'industry': 'Media, Communications',
'location': 'United States',
'name': 'Cox Enterprises',
'type': 'Corporation'},
{'industry': 'Mining',
'location': 'Canada',
'name': 'Pan American Silver Corp',
'type': 'Corporation'},
{'industry': 'Automotive',
'location': 'United States',
'name': 'LKQ Corporation',
'type': 'Corporation'},
{'industry': 'IT Services',
'location': 'United States',
'name': 'GlobalLogic',
'type': 'Corporation'},
{'industry': 'Healthcare',
'location': 'United Kingdom',
'name': 'Barts Health NHS Trust',
'type': 'Healthcare Provider'},
{'industry': 'Education',
'location': 'United States',
'name': 'Dartmouth College',
'type': 'Educational Institution'}],
'attack_vector': 'Supply-Chain Attack, Exploitation of Vulnerability '
'(CVE-2025-61882)',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '30,000',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Full names',
'Bank account numbers']},
'date_detected': '2025-10',
'date_publicly_disclosed': '2025-11-21',
'description': 'Korean Air lost sensitive data on ~30,000 employees in a '
'supply-chain breach involving Korean Air Catering & Duty-Free '
'(KC&D). The Cl0p ransomware group exploited a vulnerability '
'in Oracle E-Business Suite (EBS) and leaked 500 GB of '
'archives containing names and bank account numbers.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': '500 GB of archives',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'Oracle E-Business Suite (EBS)'},
'initial_access_broker': {'entry_point': 'Oracle E-Business Suite (EBS) '
'vulnerability (CVE-2025-61882)'},
'motivation': 'Extortion, Data Theft',
'post_incident_analysis': {'root_causes': 'Exploitation of unpatched '
'vulnerability in Oracle E-Business '
'Suite (CVE-2025-61882)'},
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Cl0p'},
'references': [{'source': 'Security Week'}, {'source': 'TechRadar Pro'}],
'threat_actor': 'Cl0p',
'title': 'Korean Air Data Breach via KC&D Supply-Chain Attack',
'type': 'Data Breach, Ransomware',
'vulnerability_exploited': 'CVE-2025-61882 (Oracle E-Business Suite)'}