Korean Air experienced a data breach affecting thousands of employees after Korean Air Catering & Duty-Free (KC&D), its in-flight catering supplier and former subsidiary, was recently hacked.

Korea's flag carrier has over 20,000 employees, a fleet of over 160 aircraft, and has reported over $11 billion in revenue after carrying more than 23 million passengers in 2024.

The airline issued an internal notice on Monday, disclosing a data breach after KC&D (which spun off as a separate in-flight meals and retail company in 2020) notified it that it had been recently hacked.

"During this incident, personal information (names, bank account numbers) of our employees stored in the company's ERP system on the affected servers was compromised," Korean Air CEO Woo Kee-hong said in an internal memo.

"Although this incident occurred within the management domain of an external partner company spun off from us, the company views this matter with the utmost seriousness as it involves the information of our employees."

Although the company didn't share further details on how many employees had their information stolen in the breach, local news outlets report that the attackers exfiltrated approximately 30,000 data records.

​Korean Air has since reported the incident to the relevant authorities and, while it has yet to find evidence that the stolen data was used for fraud, it has advised employees to be on the lookout for emails and messages impersonating the company.

"We are currently focusing our efforts on identifying the precise scope and targets of the leak. To date, no evidence of additional employee information leakage beyond the aforementioned items has been identified," Kee-hong added.

"However, to prevent potential secondary damage, all employees are urged to exercise extreme caution regarding suspicious texts or emails requesting transfers impersonating the company or financial institutions, or demanding security card numbers."

While Korean Air has yet to attribute the attack, the Clop ransomware gang has claimed responsibility for the KC&D attack in November and later published the allegedly stolen data on its dark web leak site, making it available for download via Torrent.

​As part of the same series of data theft attacks, Clop compromised the Oracle EBS instances of dozens of victims worldwide, including GlobalLogic, Logitech, Harvard University, the University of Pennsylvania, The Washington Post, and the American Airlines subsidiary Envoy Air, leaking the stolen data on its leak site.

In the past, the ransomware group was behind other data theft campaigns targeting GoAnywhere MFT, Accellion FTA, Cleo, and MOVEit Transfer, and, most recently, Gladinet CentreStack customers.

The U.S. Department of State now offers a $10 million bounty to anyone who can provide any information tying Clop's attacks to a foreign government.

A Korean Air spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.