Asahi Group Reveals Findings of Cyberattack

Asahi Group Holdings has released the results of a two-month forensic investigation into a major cyberattack.

The attack disrupted operations across its Japan-managed systems and exposed personal data belonging to customers, employees, and business contacts. The company submitted a final report to Japan’s Personal Information Protection Commission on November 26 and pledged further remediation steps, including long-term security reforms and a redesign of its network architecture.

The incident, first disclosed on September 29, represents one of the most significant cybersecurity breaches among Japan’s major consumer-goods manufacturers in recent years. The scale of potential data exposure highlights growing risks for companies with large customer bases and complex legacy systems, particularly as ransomware groups increasingly target global food and beverage conglomerates.

Sequence of events

According to Asahi’s report, the disruption began around 7:00 a.m. JST on September 29 when encrypted files were discovered across internal systems. By late morning, the company severed external network connections to prevent further compromise and isolate its data center.

Investigators determined that attackers gained unauthorized access through network equipment at one of the Group’s sites, moving laterally until they reached the data center. The intruders deployed ransomware simultaneously across multiple servers and employee PC devices, encrypting operational data essential for daily functions such as logistics, order processing, and administrative workflows.

While the company was examining systems targeted by the attack, it identified that some files stored on employee-issued PCs had been exposed. Forensic teams also found evidence suggesting that certain servers holding personal information may have been accessed. However, Asahi emphasized that there is currently no indication that the stolen data has been published online.

The company noted that the impact was limited to systems operated within Japan, a point that mitigates risk for its overseas operations but underscores the vulnerability of domestic infrastructure.

Scope of the data exposure

Asahi listed four categories of individuals whose information has been confirmed exposed or may be at risk. The totals exceed 1.9 million records, underscoring the widespread footprint of the breach:

• Customers who contacted service centers for Asahi Breweries, Asahi Soft Drinks, and Asahi Group Foods: approximately 1,525,000 records, including names, gender, addresses, phone numbers, and email addresses.
• External recipients of congratulatory or condolence telegrams: roughly 114,000 records containing names, addresses, and phone numbers.
• Employees and retirees: about 107,000 records containing personally identifiable information such as names, birthdates, gender, home contact details, and other undisclosed data attributes.
• Family members of employees and retirees: approximately 168,000 records, including names, dates of birth, and gender.

The company confirmed that credit-card data was not involved in the breach. However, cybersecurity experts note that the exposed information could still be used for identity theft, targeted phishing campaigns, or social-engineering attempts—risks that typically rise in the months following a breach. Because some data dates back years, individuals who have had past interactions with Asahi may be affected even if they are no longer customers or employees.

Asahi said it will begin contacting confirmed affected individuals and those potentially at risk, a process that may take several weeks given the volume. A dedicated call center has been established to handle inquiries.

System restoration

Restoration has taken roughly two months as the company worked to contain the ransomware, rebuild systems, and enhance security controls. External experts conducted forensic analyses to determine how the attackers infiltrated the network, identify compromised endpoints, and ensure no hidden backdoors remained.

The company is restoring systems in phases only after they pass integrity checks. While operations have gradually resumed, disruptions earlier in the fall led to delays in logistics, order fulfillment, and some product shipments. The company said product supply is now stabilizing, though it acknowledged lingering effects on partners and consumers.

Ongoing monitoring and security enhancements will continue as systems return to full capacity. Large-scale manufacturers increasingly depend on interlinked digital environments for production, warehousing, and distribution, meaning ransomware incidents can rapidly cascade into supply-chain challenges.

Planned countermeasures

Asahi outlined a series of preventive measures, including a comprehensive redesign of communication routes and network controls, stricter connection restrictions, and segmentation of internet-facing functions into secure zones. The company also plans to refine its threat-monitoring systems, overhaul backup strategies, and reinforce business-continuity planning to ensure faster recovery in future emergencies.

These measures reflect broader trends across Japan’s corporate sector, where aging infrastructure and historically limited cybersecurity budgets have made firms attractive targets for sophisticated criminal groups. Regulatory expectations have strengthened in recent years, and companies are now under greater pressure to demonstrate proactive defenses and robust incident-response capabilities.

Ongoing employee training and regular external audits will also form part of Asahi’s security governance reforms—a crucial step, as human error remains a major vector for cyberattacks globally.