Kyowon Group hit by group-wide ransomware attack via exposed server

Kyowon Group, a large South Korean conglomerate, was hit by a ransomware attack on January 10, 2026. The breach hit several subsidiaries, including those for education, funeral services, and travel. 

The attack caused widespread system failures and taking websites offline.

The Korea Internet & Security Agency (KISA) found that the attackers used a server with an open external port to gain access. Once they gained a foothold, they moved through the connected networks of the group's subsidiaries. This lateral movement allowed the ransomware to spread across the entire corporate infrastructure.

The attack forced the group to shut down its internal authentication and management system, known as Kyowon Super Star (KSS). Most IT services remain inaccessible as the company tries to rebuild from backups.

The group holds data for millions of people, ranging from preschoolers to adults. While a leak is not yet confirmed, the attackers have already tried to extort the company. 

The number of affected individuals and exposed data types is not disclosed. 

Kyowon Group reported the incident to KISA and police and are working with security experts to find out if any data was stolen. The company apologized to its members and promised to notify them if they find a breach.

Update - as of 14th of January 2026, Kyowon confirmed the incident. According to Korean media, there are over 9.6 million accounts registered belonging to about 5.5 million people, who may have been exposed. The number of affected individuals is still not disclosed.