South Korean conglomerate Kyowon confirmed a ransomware attack that disrupted operations and may have exposed customer data.
Kyowon Group is a major South Korean conglomerate with diverse business interests spanning education, publishing, media, and technology. It operates nationwide, serving millions of customers through its various subsidiaries and brands. The company is a significant player in South Korea’s corporate landscape, combining traditional and modern sectors under one umbrella.
Kyowon detected abnormal activity on Saturday, January 10, triggering an emergency response that isolated affected servers to prevent further compromise. The conglomerate confirmed signs that data may have leaked in a ransomware attack, though customer information impact is still under investigation. Several affiliate websites remain offline as Kyowon works with external cybersecurity experts and authorities to restore systems and assess the breach.
“At around 8 a.m. on January 10, we detected suspicious signs of an external cyber intrusion, believed to be ransomware. Immediately after recognizing the incident, we reported the circumstances to KISA and relevant investigative authorities, and we are working with external cybersecurity experts to precisely determine the cause and extent of the damage.” read a statement released on the morning of January 12 by Kyowon Group. “We are still checking whether any personal information has been leaked. If a data breach is confirmed, we will promptly and transparently notify customers and take all necessary protective measures in accordance with relevant laws and procedures.”
Most of Kyowon Group’s core subsidiaries, including Kyowon Kumon, Wiz, Life, Tour, Property, Healthcare, and Start One, were affected and reported the incident to the Korea Internet & Security Agency (KISA).
“According to the incident report filed with the Korea Internet & Security Agency (KISA) and obtained by The Asia Business Daily, the attack involved an external server exposed to the internet, which the attacker used to infiltrate the internal system, leading to a ransomware infection that spread throughout the subsidiaries.” reported The Asia Business Daily.
The attacker exploited an open external port to infiltrate Kyowon’s network, spreading laterally across subsidiaries and disrupting major services and databases. Most core subsidiaries were affected, and extortion attempts followed the ransomware infection, though authorities have not yet been notified.
According to the South Korean website Korea Joongang Daily, authorities estimate that around 9.6 million accounts may have been impacted by the cyberattack.
“Authorities estimate that 600 of the company’s 800 servers fall within the scope of the breach.” reported Korea Joongang Daily.
At the time of this writing, no major ransomware group has claimed responsibility for the Kyowon attack.
The Kyowon breach continues a wave of major cyberattacks on South Korean companies that have exposed sensitive data. Recent incidents include Coupang, affecting 33.7 million customers, Korean Air, impacting staff information, and SK Telecom, which revealed a malware breach dating back to 2022 that exposed USIM data of 27 million subscribers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, data breach)