{
  "title": "YES24 Ransomware Attack Briefing",
  "turns": [
    {
      "turn": 1,
      "user": "Brief me on the YES24 incident.",
      "assistant": "YES24 is currently experiencing a severe service outage due to a ransomware attack that began on June 9, 2025. The key points of the situation are as follows.\n\n**1\\. Service outage and cause:**\n\n*   **Ransomware attack:** Starting around 4 a.m. on June 9, errors occurred when accessing the YES24 website and mobile app. On June 10, YES24 officially acknowledged that the disruption was due to a ransomware attack. The attackers are reportedly demanding payment in exchange for decryption.\n*   **Comprehensive service shutdown:** All online services at YES24—book search, ordering, delivery tracking, and ticketing—have been suspended. E-book viewing is also impossible due to DRM decryption failures. Offline stores are also affected, with book search, used-book sales, point accrual and redemption, and Takebook payments unavailable, disrupting operations.\n\n**2\\. Impact:**\n\n*   **Customer inconvenience:** Users are facing major inconvenience with book purchases and ticket reservations. In particular, ticket holders are unable to check their booking details, causing disruptions to attendance, and events such as fan signings have been canceled one after another.\n*   **Personal data exposure status:** According to YES24, its investigation found no leakage or loss of member personal information, and all data is intact.\n*   **Stock decline:** Following the news on June 10, YES24’s share price fell, with additional declines on June 11. The stock of its parent company, Hanse YES24 Holdings, also dropped.\n*   **Distrust in the e-book market:** The incident has highlighted that when a platform goes down, buyers may be unable to access their purchased e-books, fueling public distrust of e-books.\n\n**3\\. YES24’s response:**\n\n*   **Late acknowledgment of the hack:** Initially, the company posted a vague notice citing “system maintenance,” drawing criticism, and only acknowledged the ransomware attack 36 hours later.\n*   **Recovery efforts and compensation plans:** YES24 says it is doing everything it can to restore services and will announce compensation plans by impact level—both via a public notice and individual guidance—once access is normalized.\n*   **Cooperation with KISA:** The company reported the hack to the Korea Internet & Security Agency (KISA) and appears to be receiving technical support. However, some reports suggest YES24 has not fully agreed to KISA’s technical support, which could limit the investigation.\n\n**4\\. Previous “YES24 incident” (for reference):** Beyond the current ransomware situation, in November 2018 there was the “YES24 Korean male disparagement marketing incident,” where controversy arose over the use of expressions perceived as disparaging toward men during the marketing of a particular book, leading to mass member withdrawals. This is a separate matter from the current incident.\n\nOverall, the current YES24 situation is a large-scale service paralysis caused by a ransomware attack, resulting in severe impacts including customer inconvenience, reputational damage, and stock price declines. YES24 needs to focus on rapid service restoration, customer compensation, and robust measures to prevent recurrence."
    },
    {
      "turn": 2,
      "user": "Why they are not consenting to technical support from the Korea Internet & Security Agency regarding the cyberattack",
      "assistant": "At this time, the **exact reason** YES24 has not consented to cyberattack-related technical support from the Korea Internet & Security Agency (KISA) **is not known,** as YES24 has not officially disclosed it.\n\nHowever, based on media reports and what is typical for companies in these situations, there are a few plausible reasons.\n\n**Plausible reasons:**\n\n1.  **Confidence in handling it internally or reliance on in-house capabilities:**\n    *   YES24 may believe it has sufficient in-house security experts and recovery staff and therefore wants to minimize outside involvement.\n    *   Since they assert that backup data is safely preserved, they may prefer to focus on recovery using those backups.\n2.  **Concerns about exposing sensitive information:**\n    *   Accepting KISA’s support can entail disclosing sensitive details such as intrusion paths, internal system architecture, and security vulnerabilities to an external organization. Companies may be reluctant to let such information leave the organization.\n    *   Especially with ransomware, there can be sensitive matters such as negotiations with attackers or any payment-related issues.\n3.  **Concealing shortcomings in the initial response:**\n    *   YES24 initially posted a vague “system maintenance” notice and only later acknowledged the ransomware attack. If there were shortcomings or missed legal obligations in the early response, the company may hesitate to agree to KISA’s full technical support, fearing a thorough review could expose those issues.\n4.  **Complexity or disruption to an ongoing recovery effort:**\n    *   KISA’s support typically spans root-cause analysis, containment, and recovery planning. If internal recovery is already underway, management might worry that external involvement could create confusion or slow the effort.\n5.  **Legacy practices prior to amendments to the Information and Communications Network Act:**\n    *   In the past, even if a company refused KISA’s request to submit materials after a cyber incident, there was no legal penalty. The law has since been strengthened so that refusing to submit materials can lead to fines, but companies may still feel burdened by external intervention. (Of course, since the YES24 incident occurred after the amendment, it could be subject to fines.)\n\nCurrently, KISA says it is communicating with YES24 and providing support where necessary, but because YES24 has not consented to cyberattack-related technical support, it cannot compel evidence preservation or data submission needed for a precise investigation. As a result, critics say this is delaying identification of the overall scale of damage and the specific intrusion routes."
    },
    {
      "turn": 3,
      "user": "How much do you think the losses might be right now?",
      "assistant": "At this point, it’s very difficult to calculate the **exact amount of losses** from the YES24 ransomware attack. Losses include more than just direct monetary hits and can grow over time.\n\nHowever, we can estimate a rough scale by looking at the likely categories of loss.\n\n**1\\. Direct financial losses:**\n\n*   **Ransom payment (if any):** If they paid what the attackers demanded, that becomes the most direct loss. In ransomware cases, demands are often in cryptocurrencies like Bitcoin and can range from several billion to hundreds of billions of KRW. (It’s not known whether YES24 paid.)\n*   **Recovery costs:** Expenses for system restoration, security hardening, and hiring experts. This can include server rebuilds, data-recovery software, and new security solutions.\n*   **Lost profits (revenue loss):**\n    *   **Books and music/DVD sales halted:** Loss of revenue from the core books business being completely paused. The longer the outage, the more the losses compound.\n    *   **Ticketing suspended:** Losses from the suspension of ticket sales for performances, movies, etc.\n    *   **E-book service outage:** Losses from the inability to read e-books, affecting new purchases and use of existing purchases.\n    *   **Advertising and partnership revenue:** Reduced traffic can cut ad revenue and affect partner contracts.\n*   **Customer compensation and claims:**\n    *   Costs to compensate for customer inconvenience due to the outage (points, coupons, etc.).\n    *   If personal data leakage is confirmed or legal disputes arise (e.g., canceled ticketing), substantial damages may follow. (YES24 currently says no personal data was leaked.)\n*   **Fines and penalties:** If violations of the Information and Communications Network Act or other laws are found, significant fines or penalties could be imposed. This could be aggravated if shortcomings in the initial response—such as refusing KISA technical support—are established.\n\n**2\\. Non-monetary/long-term losses:**\n\n*   **Brand and trust erosion:** One of the most serious hits. Customers lose confidence, which can lead to long-term churn.\n*   **Weakened competitiveness:** Raises doubts about service reliability versus competitors and can impact market share.\n*   **Share price decline:** The stock has already fallen; if the crisis drags on, further declines are possible as investor confidence erodes.\n*   **Employee morale and operations:** Heightened internal confusion and burnout can reduce productivity.\n*   **Brand equity damage:** Recovery can take a long time, and regaining prior reputation may be difficult.\n\n**In short, current losses for YES24 are likely at least in the billions of KRW and could extend into the hundreds of billions.** The longer the outage, the more revenue loss, recovery costs, and customer compensation will snowball. Adding in intangible damage—brand harm, weakened competitiveness—the overall blow could be enormous.\n\nThe exact figure will only be clear once services are fully restored and all losses are tallied."
    }
  ]
}