Inside the Korean Air Employee Data Breach: How a Trusted System Became the Attackers’ Doorway

Aegiron 7 mins0

Overview

In early January, Korean Air confirmed that personal data of roughly 30,000 current and former employees had been exposed. The breach did not originate from Korean Air’s passenger systems or flight operations. Instead, it came through a third-party supplier that handled catering and duty-free operations and stored employee payroll-related information.

This was a supply-chain breach, meaning attackers compromised a connected vendor system and used that access to steal Korean Air employee data.

How the breach happened

1. The weak point: a third-party ERP system

The affected company operated an Oracle E-Business Suite (EBS) environment. This is a large enterprise ERP platform commonly used for HR, payroll, finance, and procurement.

That ERP system:

  • Stored Korean Air employee records
  • Was exposed to external network access
  • Had a critical, previously unknown vulnerability (zero-day) at the time of the attack

The attackers did not break in using stolen passwords first. They went straight after the software flaw.

2. The vulnerability that was exploited

The attackers abused a remote code execution vulnerability in Oracle E-Business Suite, specifically in components tied to BI Publisher / XML processing.

In simple terms:

  • The system trusted certain XML/XSLT files
  • Attackers sent maliciously crafted XML requests
  • When the server processed those requests, it unintentionally ran attacker-controlled code

This meant the attackers could:

  • Run commands on the server
  • Query databases directly
  • Read files that should never be accessible remotely

No login was required — the flaw allowed unauthenticated access.

3. Initial attack vector (how they got in)

The initial vector was direct exploitation over the internet.

Technically, the attack chain involved:

  • Specially crafted HTTP requests
  • Abuse of server-side request handling
  • Manipulation of headers and internal requests
  • Injection of malicious XSLT/XML payloads

Once processed by Oracle EBS, those payloads executed server-side code.

This is not phishing.
This is not brute force.
This is a software exploitation attack.

What payloads were used

The “payloads” were not typical malware files like EXEs or ransomware binaries.

Instead, they consisted of:

  • Malicious XML/XSLT templates
  • Exploit strings embedded in HTTP requests
  • Server-side scripts executed in memory
  • SQL queries used to dump data from ERP tables

Think of it as:

“Using the application itself as the weapon.”

Because the payloads ran inside the ERP application:

  • Antivirus often doesn’t flag it
  • No obvious malware file is dropped
  • Logs may look like normal application traffic unless closely inspected

Was malware used?

There is no public evidence that traditional malware (trojans, backdoors, ransomware executables) was deployed in this case.

This attack focused on:

  • Data theft
  • Exfiltration
  • Public extortion via data leaks

The attackers are known for steal-and-leak tactics, not always encryption.

That said:

  • Just because malware wasn’t publicly identified does not mean the systems were “clean”
  • In-memory execution and temporary scripts leave minimal traces

What data was stolen

Confirmed exposed data includes:

  • Employee full names
  • Bank account numbers used for payroll

This combination is particularly dangerous because it can be used for:

  • Targeted phishing
  • Payroll fraud
  • Identity-assisted financial scams

No evidence has been disclosed that:

  • Passenger data was accessed
  • Flight systems were affected
  • Korean Air’s core infrastructure was breached

How the data was taken out

After gaining control of the ERP environment, the attackers:

  1. Queried HR and payroll databases
  2. Exported the data in bulk
  3. Archived it into large compressed files
  4. Exfiltrated it over the network
  5. Later published the data publicly when extortion demands were not met (or ignored)

This is a post-exploitation data exfiltration, not accidental exposure.

Who carried out the attack

The breach has been publicly claimed by a well-known data-extortion ransomware group.

This group is known for:

  • Exploiting zero-day vulnerabilities in enterprise software
  • Targeting file transfer systems and ERPs
  • Stealing data first
  • Leaking data instead of (or before) encrypting systems

Their operating style matches:

  • The vulnerability used
  • The timing
  • The leak method
  • The publication of large employee data archives

Why this happened (root cause)

From a security standpoint, the key failures were:

  • Internet-exposed ERP systems
  • Delayed patching of critical enterprise software
  • Over-trust in vendor environments
  • Insufficient network segmentation
  • Sensitive payroll data accessible from application-level compromise

Key takeaway

A trusted vendor ran a vulnerable business system. Attackers exploited a flaw in that system, remotely took control of it, copied employee payroll data, and leaked it online. No phishing, no insider help — just a serious software vulnerability combined with internet exposure.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.