What happened
Korean Air disclosed that a recent cyberattack on KC&D, its former in‑flight catering and duty‑free supplier, resulted in the compromise of personal data belonging to thousands of its employees. The exposed information, reportedly including names and bank account numbers, stems from systems managed by KC&D that held Korean Air employee records. The airline has activated emergency security measures and reported the incident to authorities.
Who is affected
The breach potentially impacts around 30,000 Korean Air staff whose personal details were stored on the compromised systems. There is no indication that customer data was involved.
Why CISOs should care
This incident underscores the significant risk posed by third‑party and supply chain relationships, even when a partner is no longer formally part of the corporate group. Employee data exposure can lead to targeted phishing, financial fraud, and reputational harm. CISOs must consider how data is shared, stored, and protected across all connected vendors and service providers.
3 practical actions:
- Reassess third‑party risk frameworks: Update vendor risk assessments to include off‑boarded entities that still retain access to sensitive data.
- Enhance data access controls: Restrict and monitor access to employee information on partner systems using least‑privilege and real‑time auditing.
User vigilance campaigns: Educate employees on recognizing phishing and impersonation attempts that could exploit exposed information.