YES24 faces criticism over cyberattack response and false statements

YES24’s services still down, government disputes company’s official account

YES24, South Korea’s largest online platform for book orders, e-book services, and concert ticket reservations, boasting nearly 20 million members, remained inaccessible for 91 consecutive hours as of 11 p.m. on June. 12 following a cyberattack. As user frustration mounted over the prolonged service outage, the company came under intensifying criticism for allegedly issuing misleading public statements.

Outside the YES24 headquarters in Seoul on June. 12. The nation’s largest online platform for books, e-books, and concert tickets, with 20 million members, has remained offline for four days following a ransomware attack. /Yonhap News

On the night of June. 11, the Korea Internet & Security Agency (KISA)—the government body overseeing cyber incident response—issued a rare late-night statement disputing YES24’s earlier announcement and accusing the company of disseminating false information. On the same day, the Personal Information Protection Commission also challenged YES24’s repeated assertions that no user data had been compromised, stating that the company itself had submitted a breach notification during the ransomware incident. The conflicting accounts have fueled further scrutiny of YES24’s handling of the crisis.

Graphics by Yang In-sung

At 10:30 p.m. on June. 11, KISA released a highly unusual press statement, explicitly rejecting YES24’s claim, issued earlier that afternoon, that it was “jointly investigating the incident in cooperation with KISA.” The agency clarified that it was not merely reporting a cyberattack but actively calling out the company for attempting to mislead the public—an extraordinary step for a government authority.

In fact, KISA had dispatched a team of three to four cybersecurity experts to YES24’s headquarters on both June. 10 and 11 to investigate the breach and support recovery efforts. However, according to the agency, YES24 denied the investigators access to its systems, citing restoration work in progress. KISA said its personnel were left waiting on site for two to three hours on each visit before being turned away. Despite this, YES24 continued to claim it was cooperating with KISA, prompting the agency to publicly deny that any joint investigation had taken place.

Amid growing public pressure, YES24 ultimately allowed KISA to conduct an on-site inspection on June. 12. Starting at 5 p.m., three to four KISA investigators resumed their work. A KISA official noted that the investigation would take time, citing “numerous elements that need verification.”

Industry observers have questioned YES24’s motives for issuing contradictory statements, suggesting the company may have been attempting to conceal vulnerabilities in its internal cybersecurity protocols. Under South Korean law, companies are required to report a cyber incident within 24 hours of detection. Some speculate that YES24 filed the report to comply with legal obligations but sought to downplay the breach to limit reputational fallout.

The controversy has extended beyond KISA. At 6:25 p.m. on June. 11, the Personal Information Protection Commission announced it had launched an investigation into a potential data leak. The commission stated that YES24 had reported “unusual activity involving user account access,” implying the possibility of a data breach. Yet just 30 minutes prior, YES24 had distributed a press release to media outlets claiming that “no personal data has been leaked or lost.” Following the commission’s announcement, YES24 revised its explanation, saying the statement had been made “in consideration of a remote possibility.”

KISA, now actively conducting its on-site investigation, is first expected to assist YES24 in meeting its stated goal of restoring services by June. 15. Afterward, the agency will assess the extent of the breach, including whether sensitive data was exfiltrated from servers or internal systems during the attack.