South Korea’s Kyowon investigates ransomware attack as millions of accounts face exposure

Published: 15 January 2026
Last updated: 16 January 2026
hacker-with-file
Image by Cybernews

South Korean authorities are investigating a suspected ransomware attack at Kyowon Group that could affect millions of user accounts. The company states that it is still assessing whether personal data was actually compromised.

Key takeaways:
  • Kyowon Group's ransomware attack could affect up to 9.6 million user accounts, with approximately 600 of the company's 800 servers potentially compromised.
  • If a data leak is confirmed, Kyowon could face regulatory action under South Korea's strict data protection laws and must transparently notify affected users.
  • Government investigators, including KISA, are assessing the damage.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

South Korea’s education services giant Kyowon Group is investigating a cyberattack after authorities identified signs of a ransomware intrusion in its internal systems. Government investigators estimate that up to 9.6 million user accounts could be affected. The incident has triggered a government-led probe and raised concerns about data exposure across several Kyowon businesses.

ADVERTISEMENT

A South Korean cybersecurity investigation team, which includes the Korea Internet and Security Agency (KISA), is now working with the company to assess the damage. Investigators are examining how far the attackers moved inside Kyowon’s network. They are also trying to determine whether customer data was accessed or stolen. Officials stress that the findings remain preliminary.

Informed sources said on Wednesday that the Kyowon Group had detected traces of a ransomware attack earlier this week. The company said it first noticed abnormal activity in its internal systems on Saturday and reported a possible breach on Monday.

Large-scale impact

The investigators reportedly believe that a large portion of Kyowon’s infrastructure may have been affected. Authorities estimate that roughly 600 of the company’s 800 servers fall within the scope of the breach.

Kyowon Group operates eight affiliates covering a wide range of services, including tutoring, home appliance rentals, and funeral services. Collectively, those businesses are said to manage data tied to around 13 million members.

hijack Iot devices and web servers
Image by Cybernews

After accounting for users who hold multiple memberships, investigators estimate that about 5.54 million unique individuals are involved. However, the higher 9.6-million figure reflects accounts rather than people, suggesting many users could have been exposed through more than one Kyowon service.

Kyowon has taken a cautious public stance, emphasizing that the investigation is ongoing. In a statement, the company said it had “identified indications of a possible data leak” and is working with relevant organizations and security institutions to determine whether personal data was actually compromised.

ADVERTISEMENT

“If customer data is confirmed to have been leaked, we will notify users in a transparent manner,” the company said.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

So far, Kyowon has not disclosed what type of data may have been affected, whether a ransom demand was made, or if operations were disrupted. Investigators have also not publicly linked the incident to any known ransomware group.

Such uncertainty is typical in the early stages of ransomware investigations, particularly when forensic teams are still determining whether attackers merely encrypted systems or also stole data for extortion purposes.

For now, investigators are focused on determining the true scope of the Kyowon breach and whether personal data was accessed or exfiltrated. If a leak is confirmed, Kyowon could face regulatory action under South Korea’s data protection laws, which impose strict requirements on safeguarding personal information and notifying affected users.

Part of a broader trend

The Kyowon incident adds to a growing list of high-profile cyber incidents in South Korea, where large organizations across sectors have been hit by cybercriminals.

malware, hackers
Image by Cybernews.

In recent years, breaches at South Korean telecom operators and e-commerce giants in the country have exposed customer data and drawn scrutiny from regulators.

Meanwhile, the education sector has become a premier target for cybercriminals. Schools and education service providers hold vast amounts of personal data, while typically operating with fewer cybersecurity resources than banks or telecoms.

ADVERTISEMENT

Globally, ransomware groups have repeatedly targeted schools and universities, betting that operational disruption and public pressure will push victims to pay quickly.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT