Home
Date of Incident:
November 2025
Overview:
The Korean Air data breach, reported in December 2025, compromised the personal information of approximately 30,000 employees, including names and bank account numbers. The breach exploited vulnerabilities in the company’s ERP system, utilizing tactics such as exploitation of remote services and account access removal. This incident affected the transportation sector, specifically Korean Air, with no evidence yet of data misuse. Employees have been advised to remain vigilant against phishing. Indicators of Compromise include suspicious IP addresses and unusual data exfiltration patterns.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Personal information (names, bank account numbers) of approximately 30,000 Korean Air employees was compromised from the company’s ERP system. No evidence yet of data misuse or additional leaks. Employees advised to be cautious of phishing attempts.
Details:
The Korean Air Data Breach is characterized by exploitation targeting the company’s ERP system to extract personal data of employees. The attack maps to MITRE ATT&CK techniques such as T1210 (Exploitation of Remote Services) and T1531 (Account Access Removal) with tactics including Initial Access and Impact. Proof-of-concept code behaviors involved injecting malicious payloads to execute unauthorized queries within the ERP system to dump employee personal information including names and bank account numbers. Indicators of Compromise (IOCs) include suspicious IP addresses linked to unauthorized access attempts, anomalous registry edits consistent with log tampering, and file artifacts indicative of data extraction tools. Log artifacts feature repeated failed login attempts followed by a successful access anomaly within ERP system audit logs, and unusual data exfiltration patterns detected in outbound network traffic logs.
Remediation:
Vendor guidance recommends immediate deployment of ERP system security patches addressing vulnerable authentication components. Temporary mitigations include enabling multi-factor authentication for ERP access, rigorous monitoring of access logs for suspicious activity, and immediate disabling of compromised credentials. Known workarounds involve network segmentation of critical ERP systems and implementation of strict data access controls.
Takeaway for CISO:
The breach exposed sensitive employee personal information, raising risk for targeted phishing and potential identity theft. Strategic focus for CISOs should be on strengthening ERP access controls, enhancing anomaly detection for privileged access, and employee phishing awareness training to mitigate social engineering avenues leveraged post-breach.
