The news of what could be the last major cyber incident of 2025 came in early on the morning of December 29. Korean Air which is the nation's flagship carrier faced a data breach. The most significant part of the breach was not why but how it happened and how this incident along with the Nissan Red Hat breach echo the same message and pretty much reinforce the same lesson for all of us.

Before we get into the lesson part, let’s spend some time in understanding what went wrong at Korean Air.  

The actual breach didn't originate from within Korean Air’s own infrastructure. Instead, it came through KC&D Service, a key supplier of in-flight meals and onboard sales. This incident impacted nearly 30,000 employees whose records were leaked. The information leaked included names and bank accounts.

The incident: Anatomy of a third-party breach

As per an internal notice and our research, an external hacker group targeted the servers of KC&D Service. Because KC&D which was formerly a Korean Air subsidiary before being sold to a private equity, handles logistics and sales that require personnel coordination. It also held sensitive data on the airline's staff.

What was exposed?

• Employee names

• Phone numbers

• Bank account numbers

Korean Air has clarified that customer data remains unaffected. The exposure of bank details belonging to 30,000 employees opens a dangerous window for secondary financial fraud and sophisticated phishing campaigns. This is another risk that must be immediately addressed.

A pattern, not a fluke

This isn't an isolated event by any means. In fact, it follows a nearly identical breach at Asiana Airlines just last week, which saw 10,000 employee records leaked through a similar channel. When you add the massive Coupang data incident from earlier this month to this mix, a clear trend emerges.

A massive jigsaw puzzle is emerging around the world. Data belonging to employees is being leaked across major beaches. Hackers now have access to more data on persons of interest in target businesses. They can validate the breached data across various data sets from different breaches and even gather or derive possible credentials.

Hackers are no longer spending their time banging on the front door of major corporations. They are instead finding the "side door" that includes the vendors, caterers, and service providers who have (or had) legitimate access to the proverbial mother ship's data but often lack the same level of cybersecurity investment or are not according the data enough security attention.

Suppliers are the new primary target

For a cybercriminal, targeting a supplier is often a high-ROI (Return on Investment) move for three reasons:

• Trust by association: Suppliers often have "privileged" access to the main company's internal systems or databases to facilitate operations.

• Resource disparity: While a global business may spend millions on a SOC (Security Operations Center), a business partner might have a much leaner IT budget.

• Lateral movement: Once a hacker is inside the supplier’s network, they can often "jump" to the client's network if the service integrations aren't strictly segmented.

• The forgotten data: Sometimes data from previous projects belonging to a customer is forgotten once the project is over. Such data may be parked in a server that is not frequently used and is not secured by adequate measures. Hackers proactively seek out such data.

Data awareness is the need of the hour

Korean Air has already moved to its "emergency security measures" and reported the breach to the authorities. However, for the broader business community, the fix isn't just better firewalls. It's Third-Party Risk Management (TPRM). In case of the Nissan Red Hat breach, the data was stored by Red Hat (a project partner) in a shadow repository that was breached.

Both the Korean Air and Nissan breach highlight the same lessons. We need to build a data trail to understand the entire data chain including data shared in the past with suppliers or vendors. This information can then be used to build a heatmap to grade data at risk based on the security measures accorded by the entity that is managing the data (be it an internal team or an external supplier). Unless such levels of data awareness are attained, we run the risk of such breaches occurring more frequently.

With each episode of data loss, the risk of a major breaches increases. Thus, as we enter 2026, we need to internalize data security across the wider footprint and ensure the deployment of a set of specific data security controls.

In addition, we recommend the deployment of following security measures to secure data and systems.   

• Zero trust architecture: Never trust a partner’s connection by default. Every interaction between a supplier's server and the company server must be verified. Partners should be encouraged to adopt stringent data and systems security measures by default before any data exchange.

• Strict Data Minimization: Ask a basic question: Does our catering partner actually need our employees' bank account numbers? Maybe they do but if the answer is no, that data shouldn't be on their servers.

• Continuous auditing: Annual security questionnaires for vendors are as effective as an umbrella during heavy winds. Real-time monitoring of partner security posture is the new standard.

• Map all forgotten data and controls: Do a data audit to figure out where all your data is sitting and map the associated security measures associated with such data.

• Revisit your partner agreements: See if the data security clauses mentioned are stringent enough. If not, talk to your legal team to see if such agreements and/or contracts could be revised.

• Conduct a data security audit

Next steps for the impacted employees

If you are an employee impacted by a breach, your immediate focus should be on secondary damage prevention:

• Monitor bank statements: Look for "micro-transactions" that might be a precursor to larger unauthorized transfers.

• Credential hygiene: Change passwords on any accounts that might use your work phone number for 2FA, especially if you suspect those accounts could be targeted via SMS phishing (Smishing).

• Ignore "urgent" requests: Be wary of emails or texts claiming to be from "HR" or "Finance" asking for "security card numbers" or "verification codes" to "fix the breach."

• Talk to your security team to identify specific measures to reduce risk to yourself and to your employer.

The Korean Air incident is a reminder that in 2025, your perimeter could effectively be infinite if you are not having the right set of controls. Protecting your data must mean protecting every link in the chain that touches it. Here’s to a more secure 2026.

Interested in a custom briefing on specific security measures to segment your OT network Talk to our expert.

Test drive our NDR solution for OT security, here.

For everything else, let us know here.