South Korea’s largest ticketing and online book retailer, Yes24, suffered a ransomware attack that disrupted its website and mobile app for seven hours, halting ticket bookings, e-book access, and community forums. The outage occurred just hours before the scheduled general ticket sales for K-pop band DAY6’s 'The Decade' tour, causing panic among fans. This was the second ransomware attack in under two months, following a five-day outage in June that disrupted sales for major artists like Park Bo-gum and Enhypen. The June incident exposed weak security measures, including a lack of offsite backups, which delayed recovery. Despite pledging security overhauls such as hiring external advisors and increasing cybersecurity budgets Yes24 failed to prevent the recurrence, drawing criticism for poor leadership and limited transparency.The attack crippled high-value transactions, risked reputational damage due to failed high-profile events, and highlighted vulnerabilities in handling customer data and financial transactions. Yes24 has a history of security lapses, including fines for violating South Korea’s Personal Information Protection Act (2016, 2020) and a 2022 breach where a teenage hacker stole 1.43 million e-book decryption keys. The repeated targeting underscores the platform’s attractiveness to cybercriminals due to its large volumes of personal data and time-sensitive operations.
Source: https://therecord.media/yes24-second-ransomware-attack-kpop-ticketing-affected
TPRM report: https://www.rankiteo.com/company/yes24
"id": "yes3532135090825",
"linkid": "yes24",
"type": "Ransomware",
"date": "6/2016",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': ['DAY6 fans',
'Park Bo-gum concert attendees',
'Enhypen fans',
'Ateez fans',
'B.I concertgoers',
'general e-book users'],
'industry': ['ticketing',
'e-commerce',
'digital publishing'],
'location': 'South Korea',
'name': 'Yes24',
'size': 'large (largest ticketing/online book retailer '
'in South Korea)',
'type': 'private company'}],
'customer_advisories': ['limited updates provided during August 2024 outage'],
'data_breach': {'data_encryption': ['likely (ransomware)',
'e-book decryption keys stolen in 2022 '
'(1.43 million)']},
'date_detected': '2024-08-XX ~04:30 AM (local time)',
'date_publicly_disclosed': '2024-08-XX (same day as detection)',
'date_resolved': '2024-08-XX (~11:30 AM local time, within 7 hours)',
'description': 'South Korea’s largest ticketing and online book retailer, '
'Yes24, experienced a ransomware attack that disrupted its '
'website and mobile app for several hours on a Monday in '
'August 2024. This marks the company’s second ransomware '
'incident in less than two months. Services were restored '
'within seven hours using backup data, but the outage caused '
'panic among fans of K-pop band DAY6, whose ticket sales were '
'scheduled for later that day. The company had previously '
'faced a five-day outage in June 2024 due to a similar attack, '
'which disrupted ticket sales for multiple high-profile K-pop '
'acts. Yes24 was criticized for failing to prevent the '
'recurrence despite pledges to overhaul security after the '
'June breach.',
'impact': {'brand_reputation_impact': ['damaged trust due to repeated '
'breaches',
'leadership scrutiny',
'media criticism'],
'customer_complaints': ['criticism for limited updates during '
'incident',
'backlash over recurrence despite security '
'pledges'],
'downtime': '~7 hours (August 2024); ~5 days (June 2024)',
'operational_impact': ['halted ticket sales (DAY6, Park Bo-gum, '
'Enhypen, Ateez, B.I)',
'delayed K-pop presales and fan events',
'disrupted e-book access',
'community forum inaccessibility'],
'systems_affected': ['website',
'mobile app',
'ticketing system',
'e-book platform',
'community forums']},
'initial_access_broker': {'high_value_targets': ['ticketing databases',
'payment systems',
'e-book decryption keys']},
'investigation_status': 'ongoing (no named attackers or ransom details '
'disclosed)',
'lessons_learned': ['Offsite backup systems are critical for rapid recovery '
'(lack of which slowed June 2024 recovery).',
'Security overhauls require timely implementation to '
'prevent recurrence.',
'Transparent communication during incidents is essential '
'to maintain customer trust.',
'Ticketing platforms are high-value targets due to '
'personal data, high transaction volumes, and '
'time-sensitive events.'],
'motivation': ['financial gain (likely)', 'disruption of high-profile events'],
'post_incident_analysis': {'corrective_actions': ['Hiring of external '
'advisory group (post-June '
'2024).',
'Pledged security review '
'and budget increase '
'(implementation status '
'unclear).',
'System overhaul (status '
'unclear as of August '
'2024).'],
'root_causes': ['Lack of offsite backup systems '
'(identified by KISA post-June '
'2024).',
'Inadequate security measures to '
'prevent recurrence.',
'Possible exploitation of '
'unpatched vulnerabilities or weak '
'access controls.']},
'ransomware': {'data_encryption': 'yes (implied by ransomware)'},
'recommendations': ['Implement and test offsite backup systems to ensure '
'rapid recovery.',
'Accelerate the promised security overhaul, including '
'third-party audits.',
'Enhance real-time monitoring and threat detection '
'capabilities.',
'Develop a robust incident communication plan to keep '
'stakeholders informed.',
'Conduct regular penetration testing and red team '
'exercises.',
'Invest in employee cybersecurity training to mitigate '
'insider threats.'],
'references': [{'source': 'TechCrunch / The Record (likely)'},
{'source': 'Korea Internet & Security Agency (KISA)'},
{'source': 'Local South Korean media (re: 2022 e-book '
'decryption key theft)'}],
'regulatory_compliance': {'fines_imposed': ['2016 (unspecified)',
'2020 (unspecified)'],
'regulations_violated': ['South Korea’s Personal '
'Information Protection '
'Act (fined in 2016 and '
'2020)'],
'regulatory_notifications': ['Korea Internet & '
'Security Agency '
'(KISA) involved '
'post-June 2024 '
'breach']},
'response': {'communication_strategy': ['limited updates during August 2024 '
'incident (criticized)',
'public acknowledgment of outage'],
'containment_measures': ['systems taken offline',
'reliance on backup data'],
'incident_response_plan_activated': 'yes (systems taken offline '
'to prevent further damage)',
'recovery_measures': ['restoration from backup data (August '
'2024)',
'7-hour recovery time'],
'remediation_measures': ['security review from the ground up '
'(pledged post-June 2024)',
'cybersecurity budget increase',
'system overhaul'],
'third_party_assistance': ['external advisory group (hired '
'post-June 2024 breach)']},
'title': 'Yes24 Ransomware Attack (August 2024)',
'type': ['ransomware', 'service disruption']}