Japanese beverage conglomerate Asahi has confirmed that the September ransomware attack, which crippled its domestic operations, may have compromised up to 1.94 million personal data records of customers, employees, past and present, business contacts and family members of staff.
According to the company, the potentially affected data includes 1.52 million customer records with names, gender, addresses and contact details alongside 114,000 records of individuals who received congratulatory or condolence telegrams from the company, 107,000 current and former employee records, and 168,000 records belonging to employees’ family members, including retirees’ families.
Asahi said only 18 cases of employee personal data stored on company-issued laptops have been confirmed as exposed to date.
The company reiterated that the preliminary investigation does not indicate any evidence of stolen data released on the dark web. It also said that credit card details were not part of the compromised information.
CEO apologises as disclosure begins
Asahi's CFO Kaoru Sakita (left), CEO Atsushi Katsuki (centre) and Kenji Hamada bow during a news conference in Tokyo on Thursday. Photo: Bloomberg
Making his first public appearance since the incident, president and CEO Atsushi Katsuki issued a formal apology: “I would like to sincerely apologise for any difficulties caused to our stakeholders by the recent system disruption. We are making every effort to achieve full system restoration as quickly as possible, while implementing measures to prevent recurrence and strengthening information security across the Group.
“Regarding product supply, shipments are resuming in stages as system recovery progresses. We apologise for the continued inconvenience and appreciate your understanding.”
Individuals whose data may have been exposed have been notified directly. The company has postponed the release of its full-year financial results to prioritise its recovery efforts.
The attack, detected on September 29, triggered a severe operational breakdown across 30 Asahi breweries in Japan. Asahi controls roughly 40% of Japan’s beer market, and retailers were warned of shortages of Asahi Super Dry and other beverages.
Asahi said the disruption began at around 7 am on September 29, when its internal systems first showed signs of disruption and encrypted files were detected soon after. By 11 am, the company shut down its network and isolated its data centre in an effort to contain the breach.
Subsequent investigations found that attackers had infiltrated the network through on-site equipment and deployed ransomware that encrypted data across multiple active servers and several company PCs.
Asahi maintains the incident is confined to systems managed in Japan, with overseas operations, including European brands such as Peroni and Fuller’s, unaffected.
Factory processing gradually resumed in early October, but order intake and shipments were handled by pen and paper for weeks.
An internal October update showed sales declines in Japan: 90% of last year’s levels for Asahi Breweries, 60% for Asahi Soft Drinks, and over 70% for Asahi Group Foods.
“We cannot avoid this short-term impact on our Japan operations, but we remain confident that our strong fundamentals ... are resilient and will prevail,” said CEO Katsuki.
Rising toll of ransomware attacks
After two months of containment, Asahi is now rebuilding and reconfiguring its systems. Shipments, disrupted throughout October, are gradually resuming.
Katsuki said: “We are making every effort to achieve full system restoration as quickly as possible, while strengthening information security across the group.”
Earlier this year, Japan’s National Police Agency (NPA) said around 200 cyberattacks targeted organisations, including the foreign and defence ministries and the semiconductor industry, between 2019 and 2024. Just a day later, security firm Trend Micro reported that at least 46 Japanese entities were hit in the two weeks after December 26, which disrupted banking services and even caused flight delays at Japan Airlines.
A September 2024 survey by Trend Micro found that ransomware-related shutdowns at Japanese companies lasted an average of 10 days; 5.1% of respondents said operations were halted for over a month.
The financial toll from such episodes varies with the length of recovery. In the first half of this year, 59% of companies and organisations under such attacks reported spending at least ¥10 million on investigating and recovering from ransomware attacks—a nine percentage points uptick compared with the full-year figure for 2024.
Among cases where recovery took two months or longer, nearly a third of companies (30%) said costs topped ¥100 million.
In April 2024, Japanese optics giant Hoya faced a cyberattack that disrupted operations for over three weeks, leaving some eyeglass brands missing from major retail shelves. The company reported a 40% drop in profits for its eyeglasses business in the April-June quarter.
In June, publisher Kadokawa was hit, shutting down its Niconico Douga video-sharing site and book shipping systems. The attack cost the company 2.4 billion yen ($16.3 million) in extraordinary losses for the fiscal year ending last March.
Outside Japan, Jaguar Land Rover had to stop production in the U.K. for over a month due to a cyberattack in August. The British government stepped in with 1.5 billion pounds ($2 billion) in loan guarantees.
