Yes24 warns of possible data breach as outage drags on; full recovery by Sunday

(Yes24)

Yes24 warned Thursday that it would notify users individually if personal data was compromised in the ransomware attack that has shut down its services for four consecutive days. This marks a shift from the company’s earlier stance that no data breach had occurred.

The statement, posted on Yes24’s official website and app outage page on Thursday morning, came just one day after South Korea’s Personal Information Protection Commission launched a formal investigation into the incident. Until now, the company had consistently maintained that there were “no indications” of customer data being leaked.

“Yes24 will issue individual notifications if further investigations confirm any personal data exposure,” the company said on the website. The company reiterated that no breach has been identified so far based on its internal review.

The notice comes as frustration mounts over the ongoing shutdown. Yes24’s website and mobile app have been inaccessible since early Monday, after a ransomware attack disabled the company’s main and backup servers. Critical internal files used to control system operations were targeted in the hack, according to Yes24 officials.

Outrage drags into day four, full recovery expected by Sunday

As of Thursday, customers were still unable to access core services, including book purchases and event ticketing. Yes24 is a dominant player in both sectors, with more than 20 million registered users and a 2024 revenue of 671.4 billion won ($494 million). Its platform handles not only retail book sales but also ticketing for major concerts, musicals and exhibitions.

The company said it has deployed its full team of cybersecurity personnel to work around the clock, and that on-site ticket verification systems could be restored by Thursday evening. Other services are expected to return gradually, with full recovery “no later than Sunday,” Yes24 said in a statement Wednesday afternoon.

Still, many customers have already reported delayed or canceled orders, with no refunds yet issued. Venue staff for concerts and theater performances are manually collecting names and checking paper proof of reservations, while some audience members have been turned away entirely due to the system being down.

Backlash over delays and mixed messages

Yes24 is now facing scrutiny not just for the attack itself but for its slow and inconsistent communication.

The company initially attributed the outage to "system maintenance" and waited over 36 hours to disclose on Tuesday that it had suffered a ransomware attack. The admission came only after a National Assembly lawmaker revealed that the company had reported the incident to the Korea Internet & Security Agency earlier Monday afternoon.

Even then, Yes24 claimed it was cooperating closely with KISA. But KISA later said Wednesday that no formal request for technical support had been made, and that its analysts received only verbal briefings during two visits to the company’s headquarters. As of Wednesday evening, KISA confirmed that no collaborative investigation was underway.

Meanwhile, the National Police Agency is also conducting a preliminary inquiry, looking into the source of the attack and whether customer data was compromised.