Kumon Institute of Education (Kumon) announced on August 20 that it had identified a new personal information leak affecting approximately 750,000 individuals. This breach follows a ransomware attack on Iseto, the company responsible for printing and delivering Kumon’s mailings.
Kumon Institute of Education (Kumon) revealed on August 20 that a ransomware attack on its contractor, Iseto, has led to a new data breach affecting approximately 750,000 individuals. The leaked information includes:
Details of 724,998 members: Membership numbers, learning materials used, classroom names, grades, and enrollment dates for members studying arithmetic, mathematics, English, or Japanese by February 2023.
Information on 71,446 members: Names, grades, and details of the highest-ranked certification tests passed by members qualified for Kumon’s internal certification test as of February 2023.
Data of 9,922 Baby Kumon members: Names, birthdates, ages, and guardian names of children enrolled in the “Baby Kumon” program for 0-2 year olds as of February 2023.
Certification test details: Membership numbers and results of two members who took the certification test in August 2023.
Due to overlap in the data categories, the total number of affected individuals is 739,714. Additionally, the breach includes names, classroom names, addresses, and bank account numbers of 17,481 Kumon instructors, with the last three digits of bank account information masked, except for one individual.
Kumon will notify those impacted by mid-September via mail. However, because the “Baby Kumon” program does not collect addresses or phone numbers at registration, Kumon has established an inquiry form for affected members. After verifying the inquiry, Kumon will send a letter to the specified address.
To prevent future incidents, Kumon plans to enhance its contractor screening processes, strengthen measures against unauthorized access, review contract terms, conduct audits, and provide employee training. This breach follows Kumon’s earlier announcements in June and July, where it disclosed the potential leak of addresses of 4,678 users on the “iKUMON site.” Other organizations, including the Kyoto Chamber of Commerce and Industry, a Kubota subsidiary, Wakayama City, and Tokushima Prefecture, have also reported potential data leaks due to the same ransomware attack on Iseto.
