Ransomware Attack Suspected in Early Morning of January 10
Extortion Activity Noted in Incident Report
Personal Information of a Wide Range of Ages, from Preschoolers to Adults, at Risk
Major Disruption Expected if Data Breach is Confirmed
Kyowon Group, which operates businesses such as educational workbooks like Red Pen and Kumon, as well as funeral services and travel, has suffered a ransomware attack on its IT network.
Kyowon Group has millions of members across its various subsidiaries. In particular, Kyowon and Kyowon Kumon, which run educational workbook businesses, hold not only personal information of children and parents but also sensitive data such as card or account numbers used for tuition payments. If a data breach is confirmed, it is expected to cause significant disruption.
![[Exclusive] Kyowon Group Hit by Successive Affiliate Breaches... Also Faces Hacker Extortion (Comprehensive)](https://cphoto.asiae.co.kr/listimglink/1/2026011211043787446_1768183477.jpg)
According to The Asia Business Daily's coverage on January 12, Kyowon Group was hit by a ransomware attack in the early hours of January 10, resulting in website access disruptions and internal system errors across all subsidiaries. According to the incident report filed with the Korea Internet & Security Agency (KISA) and obtained by The Asia Business Daily, the attack involved an external server exposed to the internet, which the attacker used to infiltrate the internal system, leading to a ransomware infection that spread throughout the subsidiaries.
The report details that the attacker used a server with an open external port as an entry point, then further penetrated the internal system and moved laterally across the network connecting the subsidiaries, which caused the damage to spread widely. During this process, major services and access to internal databases (DB) were disrupted.
The entities that reported the incident to KISA include Kyowon, Kyowon Kumon, Kyowon Wiz, Kyowon Life, Kyowon Tour, Kyowon Property, Kyowon Healthcare, and Kyowon Start One, meaning that most of Kyowon Group's core subsidiaries were affected.
The report also specifies that extortion attempts occurred following the ransomware infection, though the police have not yet been notified.
Due to this hacking incident, most of Kyowon Group's IT network, including its internal authentication and management system KSS (Kyowon Super Star), has been shut down and is currently inaccessible. As of the morning of January 12, a service disruption notice stating, "Web services are currently unavailable due to unexpected disruptions," was still posted on the websites of Kyowon Group and its subsidiaries.
Kyowon Group is currently working to restore its systems using backup data, while also conducting a detailed analysis to determine whether any additional damage has occurred. KISA has also provided on-site technical support over the weekend. Lee Donggeun, Director of the Digital Threat Response Division at KISA, told The Asia Business Daily, "At this point, we do not expect the damage to spread significantly. However, since system recovery takes time once a disruption occurs, we will need to wait a bit longer to fully understand the situation."
![[Exclusive] Kyowon Group Hit by Successive Affiliate Breaches... Also Faces Hacker Extortion (Comprehensive)](https://cphoto.asiae.co.kr/listimglink/1/2026011211050687450_1768183507.png)
In an official statement released on the morning of January 12, Kyowon Group said, "At around 8 a.m. on January 10, we detected suspicious signs of an external cyber intrusion, believed to be ransomware. Immediately after recognizing the incident, we reported the circumstances to KISA and relevant investigative authorities, and we are working with external cybersecurity experts to precisely determine the cause and extent of the damage." The company added, "We are still checking whether any personal information has been leaked. If a data breach is confirmed, we will promptly and transparently notify customers and take all necessary protective measures in accordance with relevant laws and procedures."
In addition to its funeral service company (Kyowon Life) and educational workbook companies (Kyowon and Kyowon Kumon), Kyowon Group also has subsidiaries in the rental business (Kyowon Invest) and travel (Kyowon Tour). As a result, the group holds a vast amount of sensitive information, including personal details of subscribers of all ages, as well as years of learning history and travel or accommodation data for children and adolescents. Concerns about potential leaks of children's information are already growing in parent communities and online mom cafes.
So far, there is no evidence of a personal data breach, and no report has been filed with the Personal Information Protection Commission. However, since subsidiaries such as Kumon and Red Pen hold large amounts of student and parent data, industry insiders point out that the possibility of a leak cannot be completely ruled out.
![[Exclusive] Kyowon Group Hit by Successive Affiliate Breaches... Also Faces Hacker Extortion (Comprehensive)](https://cphoto.asiae.co.kr/listimglink/1/2026011215005987890_1768197658.png)
A Kyowon Group representative stated, "We deeply apologize for the concern this incident has caused our customers. Experts are currently working to restore services quickly and verify data integrity, and we will do our utmost to prevent any recurrence in the future."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![The Special Connection Between the Statue of Martyr Lee Jun in Jangchungdan Park and Mayor Oh Sehoon ③ [Current Affairs Show]](https://cwcontent.asiae.co.kr/asiaresize/319/2026012110001599450_1768957215.jpg)
