Incident Types: The types of cybersecurity incidents that have occurred include Ransomware and Cyber Attack.

Total Financial Loss: The total financial loss from these incidents is estimated to be $15 billion.

Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with yes (investigation underway), and remediation measures with working to restore operations, and communication strategy with public statement issued (apology to customers/partners), and containment measures with fermeture des usines affectées, and communication strategy with conférence de presse du premier ministre shigeru ishiba (2025-07-21), and incident response plan activated with yes (manual order and shipping processes initiated), and recovery measures with manual order and shipping processes, and incident response plan activated with yes (under investigation), and remediation measures with restarted production at affected plants, and communication strategy with public disclosure via spokesperson statement, communication strategy with declined to comment on extortion details, and incident response plan activated with yes (it teams engaged in system rebuild), and containment measures with isolation of infected systems, containment measures with disconnection of digital networks, and remediation measures with manual order processing (fax/paper), remediation measures with in-person order collection, remediation measures with gradual system restoration, and recovery measures with rebuilding digital infrastructure from scratch, recovery measures with partial restart of 6 breweries by early october 2025, and communication strategy with public disclosure via media (e.g., the japan times), communication strategy with customer advisories on potential shortages, and incident response plan activated with yes (partial recovery ongoing), and containment measures with isolation of affected systems, containment measures with manual order processing, and remediation measures with system restoration from backups (assumed), and recovery measures with gradual resumption of production (by 2024-10-10), recovery measures with prioritization of key products (asahi super dry), recovery measures with expanded shipments from 2024-10-15, and communication strategy with public statement on 2024-10-09 (wednesday), communication strategy with spokesperson updates, communication strategy with no details on ransom negotiations, and law enforcement notified with historical: lockbit's 2024 takedown involved international law enforcement (servers, domains, decryption keys seized; lockbitsupp's identity revealed as dmitry yuryevich khoroshev), and and and containment measures with partial reopening of factories, containment measures with isolation of affected systems (likely), and remediation measures with manual order processing via pen/paper/fax, remediation measures with gradual restoration of it systems, and recovery measures with prioritizing shipments to larger customers, recovery measures with limited production resumption, and communication strategy with public apology for disruptions, communication strategy with updates via media (no direct timeline provided), and and containment measures with system shutdown (ordering, shipping, call centers), containment measures with isolation of affected systems, and remediation measures with investigation into data transfer, remediation measures with system restoration efforts, and recovery measures with manual order processing (temporary), recovery measures with brewery operations resumed, and communication strategy with public statements on attack and potential data theft, communication strategy with planned notifications to affected individuals if data breach confirmed, and recovery measures with manual order processing (temporary workaround), and incident response plan activated with yes (manual processing implemented), and containment measures with reversion to manual order processing (phone, fax, in-person), and and containment measures with system isolation, containment measures with restoration efforts, and remediation measures with system recovery in progress, and recovery measures with phased resumption of product shipments, and communication strategy with public statement by ceo atsushi katsuki, communication strategy with apology for inconvenience..

Common Attack Types: The most common types of attacks the company has faced is Ransomware.

Average Financial Loss: The average financial loss per incident is $1.15 billion.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are None confirmed, Personal Details (Employees), Financial Documents, Budgets, Contracts, Plans, Development Forecasts, , Internal Documents, Corporate Files, , Financial Records, Contracts, Business Forecasts, Pii (Employees), , Corporate Data (Suspected), Potentially Customer/Partner Data (Unconfirmed), , Personal Information (Employee Records, Id Cards), Corporate Data (Contracts, Financial Data, Forecasts), , Financial Data, Employee Personal Information and .

Incident Response Plan: The company's incident response plan is described as Yes (investigation underway), , , Yes (IT teams engaged in system rebuild), Yes (partial recovery ongoing), , , Yes (manual processing implemented), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Working to restore operations, restarted production at affected plants, , Manual order processing (fax/paper), In-person order collection, Gradual system restoration, , system restoration from backups (assumed), , Manual order processing via pen/paper/fax, Gradual restoration of IT systems, , Investigation into data transfer, System restoration efforts, , system recovery in progress, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by fermeture des usines affectées, , isolation of infected systems, disconnection of digital networks, , isolation of affected systems, manual order processing, , partial reopening of factories, isolation of affected systems (likely), , system shutdown (ordering, shipping, call centers), isolation of affected systems, , reversion to manual order processing (phone, fax, in-person), , system isolation, restoration efforts and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through manual order and shipping processes, , Rebuilding digital infrastructure from scratch, Partial restart of 6 breweries by early October 2025, , gradual resumption of production (by 2024-10-10), prioritization of key products (Asahi Super Dry), expanded shipments from 2024-10-15, , Prioritizing shipments to larger customers, Limited production resumption, , Manual order processing (temporary), Brewery operations resumed, , Manual order processing (temporary workaround), phased resumption of product shipments, .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Historical: 2024 law enforcement action against LockBit (servers seized, identity revealed).

Key Lessons Learned: The key lessons learned from past incidents are Nécessité urgente de moderniser les systèmes informatiques obsolètes au Japon.,Renforcement requis des investissements dans la cybersécurité et la formation des experts (déficit de 110 000 professionnels en 2025).,Transition d'une stratégie réactive à une cyberdéfense active (loi prévue pour 2026).,Collaboration internationale accrue (pressions des États-Unis pour améliorer la posture cybernétique).Unintended resilience of analog systems (e.g., fax machines) during cyberattacks,Importance of maintaining fallback operational protocols,Vulnerability of digital-only workflows to ransomware disruptions,Need for robust incident response plans to accelerate recoveryCollaboration among RaaS groups can amplify threat capabilities, targeting critical infrastructure and previously low-risk sectors. Law enforcement actions (e.g., LockBit takedown) may temporarily disrupt operations but fail to fully dismantle groups due to decentralized structures and affiliate mobility.Japan's reliance on legacy systems and low digital literacy increases vulnerability to cyber-attacks.,Manual fallback processes (e.g., fax) are inefficient and disrupt modern supply chains.,Ransomware-as-a-Service (RaaS) models enable less-skilled threat actors to target large organizations.,Government intervention (e.g., ACD law) is critical but requires time to implement effectively.Legacy system integration during consolidation creates vulnerabilities; manual backup processes (e.g., fax) are insufficient for modern operations; competitor poaching of market share during downtime can have long-term brand loyalty impacts.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Asahi Group Holdings Statement, and Source: Media Report (unspecified)Date Accessed: 2025-MM-DD (Tuesday morning, day after disclosure), and Source: Teikoku DatabankDate Accessed: 2025-05, and Source: Akamai Technologies (rapport sur les attaques DDoS)Date Accessed: fin 2024, and Source: ISC² et METI (ministère japonais de l’Économie, du Commerce et de l’Industrie)Date Accessed: 2023 (données reprises en 2025), and Source: Yomiuri Shimbun (propos d'un officiel américain)Date Accessed: 2025-07, and Source: AFP (photo de Shigeru Ishiba)Date Accessed: 2025-07-21, and Source: ComparitechDate Accessed: 2025-10-07, and Source: ZeroFox Q3 2025 Ransomware Roundup, and Source: NCC Group August 2025 Ransomware Report, and Source: Reuters, and Source: eCrime.ch (cybercrime research platform), and Source: BloombergDate Accessed: 2025-10-08, and Source: The Japan TimesDate Accessed: 2025-10-04, and Source: PayPerFax Research CompilationUrl: https://payperfax.com, and Source: ABNewswireUrl: https://www.abnewswire.com/email_contact_us.php?pr=when-ransomware-hit-in-2025-japans-biggest-brewery-survived-on-fax-machines, and Source: Bloomberg, and Source: Qilin's dark web blog, and Source: Asahi Group Holdings Ltd. public statement (2024-10-09), and Source: The Register, and Source: ReliaQuest Q3 2025 Ransomware Report, and Source: vx-underground (malware collector), and Source: Telegram (Scattered Lapsus$ Hunters announcement), and Source: BBC NewsUrl: https://www.bbc.com/news/articles/cpv1v5d0v1xoDate Accessed: June 2024, and Source: ReutersDate Accessed: June 2024, and Source: AFP via Getty ImagesDate Accessed: June 2024, and Source: The Register, and Source: Asahi Group Holdings Public Statements, and Source: National Cyber Security Centre Report (mentioned in article), and Source: News report (unspecified), and Source: BloombergUrl: https://www.bloomberg.comDate Accessed: 2025-11-12, and Source: Nikkei Inc., and Source: AFP (Agence France-Presse), and Source: Asahi Group Holdings public statement (September 29, 2025), and Source: Japanese media reports on Qilin's claim of responsibility.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public statement issued (apology to customers/partners), Conférence De Presse Du Premier Ministre Shigeru Ishiba (2025-07-21), Public Disclosure Via Spokesperson Statement, Declined To Comment On Extortion Details, Public Disclosure Via Media (E.G., The Japan Times), Customer Advisories On Potential Shortages, Public Statement On 2024-10-09 (Wednesday), Spokesperson Updates, No Details On Ransom Negotiations, Public Apology For Disruptions, Updates Via Media (No Direct Timeline Provided), Public Statements On Attack And Potential Data Theft, Planned Notifications To Affected Individuals If Data Breach Confirmed, Public Statement By Ceo Atsushi Katsuki and Apology For Inconvenience.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Public apology issued to customers and business partners, Yes (statement warning of service disruptions), Aucune Date De Retour À La Normale Annoncée Pour La Production D'Asahi Super Dry., , Public Statements On Operational Status, Warnings To Retailers/Customers About Potential Shortages, Notifications About Order Delays, Potential Product Shortages (E.G., Super Dry Beer), , Limited Public Updates Via Spokesperson, Indirect Communication Via Retailers/Restaurants On Product Availability, , Salesforce statement: 'Salesforce will not engage, negotiate with, or pay any extortion demand.', Apology Issued To Customers And Partners, No Detailed Advisory On Mitigation Steps, Warnings Of Product Shortages From Asahi And Convenience Store Chains (Familymart, 7-Eleven, Lawson), , Company plans to notify affected individuals if data breach confirmed, Delay In Financial Results Announcement, Phased Resumption Of Shipments, Apology For Inconvenience, Request For Understanding During Recovery and .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Adoption Récente De Lois De Cyberdéfense Active (2026) Pour Le Contre-Espionnage Et La Détection Précoce., Campagne Nationale De Formation Et D'Incitation Aux Carrières En Cybersécurité (Objectif : 50 000 Experts Certifiés D'Ici 2030)., Système D'Habilitations De Sécurité Nationale (Meti, Mai 2025) Pour Protéger Les Informations Sensibles., Doublement Prévu Des Spécialistes En Cybersécurité D'Ici 2030., , System Rebuild From Scratch, Partial Restoration Of Brewery Operations (6/30 Factories By Early October), Continued Reliance On Analog Systems (Fax/Paper) During Recovery, , Japanese Government'S Active Cyber Defense Law (Acd) Empowers Proactive Measures (E.G., Neutralizing Attacker Servers)., Asahi Likely Reviewing It Infrastructure Modernization And Cybersecurity Investments., Convenience Store Chains Diversifying Suppliers To Mitigate Single-Point Failures., .

Ransom Payment History: The company has Paid ransoms in the past.

Last Attacking Group: The attacking group in the last incident were an Qilin ransomware group, Qilin (Ransomware-as-a-Service group), Qilin Ransomware Group, Qilin (Russian-speaking hacker group), DragonForceQilinLockBit, Qilin Ransomware Group, Qilin ransomware group, Qilin, Qilin (suspected and Russia-based).

Most Recent Incident Detected: The most recent incident detected was on 2025-07-21.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-09-29.

Most Recent Incident Resolved: The most recent incident resolved was on 2024-10-02.

Highest Financial Loss: The highest financial loss from an incident was Projected ¥15 billion core operating loss for Q4; full-year guidance expected to miss by 13%; higher marketing costs to win back customers.

Most Significant Data Compromised: The most significant data compromised in an incident were None confirmed (as per Asahi's statement), employee personal details, financial documents, budgets, contracts, plans, development forecasts, Type: ['internal documents', 'corporate data'], Volume: 27 GB (9,300+ files), , Type: ['internal documents', 'corporate data'], Volume: 27 GB (9,300+ files), , financial documents, contracts, development forecasts, employees' personal information, , , Employee records, Contracts, Financial data, Forecasts, Personal documents (e.g., employee ID cards), and .

Most Significant System Affected: The most significant system affected in an incident were Order and shipment systems (group companies in Japan)Call center operationsCustomer service desks and systèmes de commandesystèmes de livraison30 usines nationales and serversorder and shipment systemscall center operations and beer production plants (6 locations in Japan) and All computer systems30 factoriesDigital order processingSupply chain management and production systemsdistribution networksorder processing and Production Systems (30 factories, including 6 breweries)Order Processing SystemsShipment Logistics SystemsCommunication Systems (reverted to fax) and Ordering systemsShipping systemsCall center systemsAccounting/financial systems and and Order and shipment processing systemFinancial data accessSupply chain operations and financial reporting systemssupply chain/logistics systems and productionsupply chaindistribution.

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were fermeture des usines affectées, Isolation of infected systemsDisconnection of digital networks, isolation of affected systemsmanual order processing, Partial reopening of factoriesIsolation of affected systems (likely), System shutdown (ordering, shipping, call centers)Isolation of affected systems, Reversion to manual order processing (phone, fax, in-person) and system isolationrestoration efforts.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Personal documents (e.g., employee ID cards), employees' personal information, employee personal details, Employee records, development forecasts, Contracts, Forecasts, plans, financial documents, None confirmed (as per Asahi's statement), contracts, Financial data and budgets.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 1.0B.

Highest Ransom Paid: The highest ransom paid in a ransomware incident was Unclear (no confirmation of payment or refusal).

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Historical: 2024 law enforcement action against LockBit (servers seized, identity revealed).

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Government intervention (e.g., ACD law) is critical but requires time to implement effectively., Legacy system integration during consolidation creates vulnerabilities; manual backup processes (e.g., fax) are insufficient for modern operations; competitor poaching of market share during downtime can have long-term brand loyalty impacts.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement robust incident response plans with automated fallback systems (not manual)., Adopter une approche proactive pour anticiper les cybermenaces (ex : contre-espionnage)., Review third-party risk exposure (e.g., Salesforce environments targeted by Scattered Lapsus$ Hunters)., Accélérer la mise en œuvre des lois de cyberdéfense active (prévues pour 2026)., Développer des programmes de formation intensifs pour combler le déficit d'experts en cybersécurité (objectif : 50 000 certifiés d'ici 2030)., Invest in cybersecurity training and hiring to address the shortage of professionals., Develop and test manual fallback procedures for cyber incident scenarios, Accelerate digital transformation to replace legacy systems in Japanese businesses., Enhance defenses against social engineering (e.g., Scattered Lapsus$ Hunters' tactics) and RaaS-based attacks., Evaluate legacy system retention as a potential resilience measure, Prepare for potential ransomware-as-a-service innovations (e.g., 'ShinySp1d3r RaaS')., Prioritize supply chain resilience in cybersecurity strategies., Enhance public-private collaboration for threat intelligence sharing under ACD law., Enhance employee training on phishing/malicious file risks, Implement hybrid (digital + analog) backup systems for critical operations, Invest in network segmentation to limit ransomware spread, Renforcer la coopération public-privé pour partager les bonnes pratiques et les alertes en temps réel., Investir massivement dans la modernisation des infrastructures IT gouvernementales et industrielles., Monitor for joint operations by DragonForce, Qilin, and LockBit, especially in critical infrastructure sectors. and Strengthen incident response plans for multi-group cybercrime collaborations..

Most Recent Source: The most recent source of information about an incident are NCC Group August 2025 Ransomware Report, AFP (Agence France-Presse), Asahi Group Holdings Ltd. public statement (2024-10-09), Asahi Group Holdings Statement, Asahi Group Holdings public statement (September 29, 2025), Comparitech, Telegram (Scattered Lapsus$ Hunters announcement), BBC News, vx-underground (malware collector), ABNewswire, Asahi Group Holdings Public Statements, AFP via Getty Images, ISC² et METI (ministère japonais de l’Économie, du Commerce et de l’Industrie), National Cyber Security Centre Report (mentioned in article), Akamai Technologies (rapport sur les attaques DDoS), Media Report (unspecified), The Register, eCrime.ch (cybercrime research platform), The Japan Times, ZeroFox Q3 2025 Ransomware Roundup, Qilin's dark web blog, ReliaQuest Q3 2025 Ransomware Report, Japanese media reports on Qilin's claim of responsibility, Yomiuri Shimbun (propos d'un officiel américain), Bloomberg, News report (unspecified), Teikoku Databank, PayPerFax Research Compilation, AFP (photo de Shigeru Ishiba), Reuters and Nikkei Inc..

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://payperfax.com, https://www.abnewswire.com/email_contact_us.php?pr=when-ransomware-hit-in-2025-japans-biggest-brewery-survived-on-fax-machines, https://www.bbc.com/news/articles/cpv1v5d0v1xo, https://www.bloomberg.com .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Active (cause under investigation).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Public apology issued to customers and business partners, Public statements on operational status, Warnings to retailers/customers about potential shortages, Limited public updates via spokesperson, Apology issued to customers and partners, No detailed advisory on mitigation steps, Company plans to notify affected individuals if data breach confirmed, delay in financial results announcement, phased resumption of shipments, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Yes (statement warning of service disruptions), Aucune date de retour à la normale annoncée pour la production d'Asahi Super Dry., Notifications about order delaysPotential product shortages (e.g., Super Dry beer), Indirect communication via retailers/restaurants on product availability, Salesforce statement: 'Salesforce will not engage, negotiate with, or pay any extortion demand.', Warnings of product shortages from Asahi and convenience store chains (FamilyMart, 7-Eleven, Lawson) and apology for inconveniencerequest for understanding during recovery.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Utilisation de systèmes et logiciels obsolètes dans les infrastructures critiques.Manque d'investissements soutenus dans la modernisation IT.Culture réactive (plutôt que proactive) en matière de cybersécurité.Pénurie chronique d'experts qualifiés (110 000 manquants en 2025).Retard dans l'adoption de mesures de cyberdéfense active (loi prévue seulement pour 2026)., Likely initial access via phishing or malicious file downloadLack of network segmentation to contain ransomware spreadOver-reliance on digital systems without tested manual fallbacks, Decentralized RaaS affiliate models enable rapid reformation post-law enforcement actions.Lack of international coordination to permanently dismantle cybercrime groups.Financial incentives drive collaboration among competing threat actors., Over-reliance on legacy IT systems with poor security controls.Insufficient cybersecurity workforce and digital literacy in business operations.Lack of preparedness for ransomware attacks (e.g., no immediate automated fallbacks).Cultural trust in systems without proportional risk management., Vulnerabilities in legacy systems during integration; lack of resilient backup systems for order processing.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Adoption récente de lois de cyberdéfense active (2026) pour le contre-espionnage et la détection précoce.Campagne nationale de formation et d'incitation aux carrières en cybersécurité (objectif : 50 000 experts certifiés d'ici 2030).Système d'habilitations de sécurité nationale (METI, mai 2025) pour protéger les informations sensibles.Doublement prévu des spécialistes en cybersécurité d'ici 2030., System rebuild from scratchPartial restoration of brewery operations (6/30 factories by early October)Continued reliance on analog systems (fax/paper) during recovery, Japanese government's Active Cyber Defense Law (ACD) empowers proactive measures (e.g., neutralizing attacker servers).Asahi likely reviewing IT infrastructure modernization and cybersecurity investments.Convenience store chains diversifying suppliers to mitigate single-point failures..