• Kyowon operates a range of businesses — from educational brands like Kyowon Kumon and Red Pen to lifestyle and travel services, holding sensitive data about students, parents, employees and more
• Suspected ransomware attack: Kyowon Group detected abnormal activity in its internal systems early on January 10, and believes the cause is a ransomware intrusion.
• Network shutdown: To contain the incident, the company shut down parts of its internal network, including internal authentication/management systems, and blocked access across systems.
• Disrupted services: Multiple affiliate websites and services were offline or showing service disruption notices as of January 12.

Scope and technical details

• Wide impact across subsidiaries: Internal systems and websites of Kyowon and many of its affiliates were affected, causing widespread IT disruption.
• According to reports, the attackers may have entered through an externally exposed server port and moved laterally through internal networks.
• There are extortion attempts noted in incident reports, though formal police reporting on extortion has not been confirmed yet.

Data and investigation

• Ongoing forensic work: Kyowon is working with cybersecurity professionals and Korean authorities, including the Korea Internet & Security Agency (KISA), to investigate the cause, extent of impact, and whether any personal data was accessed or leaked.
• The company has stated it will notify affected customers promptly if personal information compromise is confirmed.