Kyowon Group Hit by Suspected Ransomware Attack, Disrupting Services Across Subsidiaries
South Korea’s Kyowon Group has confirmed a cyberattack after detecting abnormal activity on its systems on the morning of January 10. The incident, suspected to involve ransomware, prompted the company to shut down parts of its internal network and take multiple affiliate websites offline, including those for Kyowon Tour and other subsidiaries.
Kyowon Group first acknowledged the breach on January 11, when its main website and several affiliated platforms became inaccessible. By January 12, a service disruption notice appeared across its sites, stating that web services were unavailable due to "unexpected disruptions." The company reported the incident to the Korea Internet & Security Agency (KISA) and law enforcement, initiating an investigation into the attack’s scope and potential data exposure.
While recovery efforts are underway, Kyowon Group has not yet confirmed whether customer data was compromised. The company stated it is conducting a thorough review to determine if personal information was leaked, with plans to notify affected individuals if a breach is verified. Security teams are working to restore systems gradually as they complete comprehensive security checks.
The attack adds to a recent surge in cyber incidents targeting South Korean companies, including breaches at telecommunications firms KT and Lotte Card. Kyowon Group’s diverse operations spanning education (Kyowon Kumon, Red Pen), home appliances (Wells), travel (Kyowon Tour), and financial services (Kyowon Invest) amplify concerns over the attack’s potential impact on its extensive customer base. Investigations remain ongoing.
Source: https://thecyberexpress.com/kyowon-group-cyberattack-update/
KYOWON THEORM VIET NAM cybersecurity rating report: https://www.rankiteo.com/company/theormvietnam
"id": "THE1768209687",
"linkid": "theormvietnam",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Extensive customer base across '
'subsidiaries',
'industry': 'Education, Lifestyle, Travel, '
'Hospitality, Financial Services, Home '
'Appliances',
'location': 'South Korea',
'name': 'Kyowon Group',
'size': 'Large',
'type': 'Conglomerate'},
{'industry': 'Education',
'location': 'South Korea',
'name': 'Kyowon Kumon',
'type': 'Subsidiary'},
{'industry': 'Education',
'location': 'South Korea',
'name': 'Red Pen',
'type': 'Subsidiary'},
{'industry': 'Home Appliances',
'location': 'South Korea',
'name': 'Wells',
'type': 'Subsidiary'},
{'industry': 'Funeral Services',
'location': 'South Korea',
'name': 'Kyowon Life',
'type': 'Subsidiary'},
{'industry': 'Financial Services',
'location': 'South Korea',
'name': 'Kyowon Invest',
'type': 'Subsidiary'},
{'industry': 'Travel',
'location': 'South Korea',
'name': 'Kyowon Travel',
'type': 'Subsidiary'},
{'industry': 'Hospitality',
'location': 'South Korea',
'name': 'The Suites Hotel',
'type': 'Subsidiary'},
{'industry': 'Travel',
'location': 'South Korea',
'name': 'Kyowon Tour',
'type': 'Subsidiary'}],
'customer_advisories': 'Service disruption notices on websites, planned '
'customer notifications if data leak confirmed',
'data_breach': {'type_of_data_compromised': 'Personal information (under '
'investigation)'},
'date_detected': '2025-01-10T08:00:00',
'date_publicly_disclosed': '2025-01-11',
'description': 'Kyowon Group detected signs of an external intrusion on '
'January 10, leading to system shutdowns and service '
'disruptions across its main website and subsidiaries. The '
'incident is suspected to be a ransomware attack, with '
'investigations ongoing to determine the scope of data '
'compromise.',
'impact': {'downtime': 'Ongoing as of January 12',
'operational_impact': 'Service disruptions across Kyowon Group and '
'subsidiaries',
'systems_affected': 'Internal systems, main website, and multiple '
'affiliate websites'},
'investigation_status': 'Ongoing',
'references': [{'source': 'Kyowon Group Website'}],
'regulatory_compliance': {'regulatory_notifications': 'Reported to Korea '
'Internet & Security '
'Agency (KISA)'},
'response': {'communication_strategy': 'Public acknowledgment, planned '
'official statement, customer '
'notifications if data leak confirmed',
'containment_measures': 'Shut down parts of internal systems, '
'isolated affected systems, blocked '
'external access',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes (Korea Internet & Security '
'Agency and relevant authorities)',
'recovery_measures': 'Gradual restoration of websites and '
'services',
'remediation_measures': 'Restoring systems, conducting security '
'checks',
'third_party_assistance': 'Professional security personnel'},
'title': 'Kyowon Group Cyberattack',
'type': 'Ransomware'}