South Korean airline Korean Air has disclosed a data breach affecting approximately 30,000 current and former employees after sensitive information was compromised at one of its suppliers.

The incident originated at Korean Air Catering & Duty-Free (KC&D), a former subsidiary that now operates as an independent catering and duty-free services provider. While no customer data was exposed, the breach resulted in the theft of employee names and bank account details.

Evidence suggests the incident is linked to a broader campaign exploiting zero-day vulnerabilities in Oracle E-Business Suite, highlighting ongoing risks posed by third-party enterprise software and supply chain exposure.

Airlines and aviation service providers rely heavily on complex vendor ecosystems to support operations ranging from catering to enterprise resource planning.

This interconnected environment expands the attack surface, allowing threat actors to compromise downstream organizations by targeting shared suppliers or widely deployed software platforms. Recent campaigns against enterprise applications demonstrate how vulnerabilities in a single system can cascade across industries and regions.

The Korean Air incident follows a series of high-profile breaches affecting aviation companies worldwide, underscoring the sector’s growing attractiveness to cybercriminals.

According to reporting by Korea JoongAng Daily, KC&D notified Korean Air that data belonging to airline employees had been compromised.

Korean Air subsequently confirmed that attackers accessed records associated with roughly 30,000 employees, including both current and former staff. The exposed data reportedly includes names and bank account numbers. The airline emphasized that no passenger or customer information was affected.

KC&D was added to a ransomware leak site in late November, and large volumes of data allegedly stolen from the company have since been published publicly.

The breach is believed to be connected to a campaign targeting Oracle E-Business Suite (EBS).

In this campaign, attackers exploited previously unknown vulnerabilities to gain unauthorized access to enterprise systems used by more than 100 organizations. While attribution remains contested, activity has been linked to the FIN11 threat cluster, with the Cl0p ransomware group publicly claiming responsibility.

Organizations that declined to pay ransoms reportedly had data published on Tor-based leak sites, a tactic designed to increase pressure and visibility.

The exposure of employee bank account information poses a significant financial and fraud risk.

Unlike passwords, banking details are difficult to change quickly, increasing the likelihood of downstream abuse such as unauthorized transfers or targeted social engineering. For Korean Air, the breach also raises concerns around vendor oversight and data-sharing practices with third-party suppliers.

The incident further demonstrates how enterprise software vulnerabilities can lead to widespread, multi-organization impact when exploited at scale.

This case reinforces the importance of supply chain security and shared responsibility.

Even organizations with strong internal controls remain vulnerable when sensitive data is stored or processed by external partners. As attackers increasingly focus on enterprise platforms, visibility into vendor security posture and rapid patch management become critical defensive priorities.

For employees, the breach highlights that workforce data can be just as valuable to attackers as customer information.

The Oracle EBS campaign has already affected dozens of major organizations, including aviation entities such as Envoy Air.

Security researchers note that while some victims report limited employee-only exposure, others have acknowledged the theft of personal data belonging to millions of individuals. This variability reflects differences in how organizations configure and segment enterprise systems.