Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack and Ransomware.

Total Financial Loss: The total financial loss from these incidents is estimated to be $15 billion.

Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with yes (investigation underway), and remediation measures with working to restore operations, and communication strategy with public statement issued (apology to customers/partners), and incident response plan activated with yes (manual order and shipping processes initiated), and recovery measures with manual order and shipping processes, and incident response plan activated with yes (under investigation), and remediation measures with restarted production at affected plants, and communication strategy with public disclosure via spokesperson statement, communication strategy with declined to comment on extortion details, and incident response plan activated with yes (it teams engaged in system rebuild), and containment measures with isolation of infected systems, containment measures with disconnection of digital networks, and remediation measures with manual order processing (fax/paper), remediation measures with in-person order collection, remediation measures with gradual system restoration, and recovery measures with rebuilding digital infrastructure from scratch, recovery measures with partial restart of 6 breweries by early october 2025, and communication strategy with public disclosure via media (e.g., the japan times), communication strategy with customer advisories on potential shortages, and incident response plan activated with yes (partial recovery ongoing), and containment measures with isolation of affected systems, containment measures with manual order processing, and remediation measures with system restoration from backups (assumed), and recovery measures with gradual resumption of production (by 2024-10-10), recovery measures with prioritization of key products (asahi super dry), recovery measures with expanded shipments from 2024-10-15, and communication strategy with public statement on 2024-10-09 (wednesday), communication strategy with spokesperson updates, communication strategy with no details on ransom negotiations, and and and containment measures with partial reopening of factories, containment measures with isolation of affected systems (likely), and remediation measures with manual order processing via pen/paper/fax, remediation measures with gradual restoration of it systems, and recovery measures with prioritizing shipments to larger customers, recovery measures with limited production resumption, and communication strategy with public apology for disruptions, communication strategy with updates via media (no direct timeline provided), and recovery measures with manual order processing (temporary workaround), and incident response plan activated with yes (manual processing implemented), and containment measures with reversion to manual order processing (phone, fax, in-person), and and containment measures with system isolation, containment measures with restoration efforts, and remediation measures with system recovery in progress, and recovery measures with phased resumption of product shipments, and communication strategy with public statement by ceo atsushi katsuki, communication strategy with apology for inconvenience, and and communication strategy with public announcement on company website, and and containment measures with isolation of affected systems, containment measures with manual order processing to mitigate supply chain disruptions, and remediation measures with system restoration (ongoing as of december 2023), remediation measures with gradual resumption of production, and recovery measures with expected full system recovery by february 2024, and communication strategy with public press conference by ceo atsushi katsuki, communication strategy with delayed financial disclosures with promises of transparency post-recovery, communication strategy with apologies to customers for inconvenience..

Common Attack Types: The most common types of attacks the company has faced is Ransomware.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Equipment located at Asahi Group’s site.

Average Financial Loss: The average financial loss per incident is $1.36 billion.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are None confirmed, Personal Details (Employees), Financial Documents, Budgets, Contracts, Plans, Development Forecasts, , Internal Documents, Corporate Files, , Financial Records, Contracts, Business Forecasts, Pii (Employees), , Corporate Data (Suspected), Potentially Customer/Partner Data (Unconfirmed), , Financial Data, Employee Personal Information, , Names, Gender Data, Postal Addresses, Phone Numbers, Email Addresses and .

Incident Response Plan: The company's incident response plan is described as Yes (investigation underway), , , Yes (IT teams engaged in system rebuild), Yes (partial recovery ongoing), , Yes (manual processing implemented), , , .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Working to restore operations, restarted production at affected plants, , Manual order processing (fax/paper), In-person order collection, Gradual system restoration, , system restoration from backups (assumed), , Manual order processing via pen/paper/fax, Gradual restoration of IT systems, , system recovery in progress, , System restoration (ongoing as of December 2023), Gradual resumption of production, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by isolation of infected systems, disconnection of digital networks, , isolation of affected systems, manual order processing, , partial reopening of factories, isolation of affected systems (likely), , reversion to manual order processing (phone, fax, in-person), , system isolation, restoration efforts, , isolation of affected systems, manual order processing to mitigate supply chain disruptions and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through manual order and shipping processes, , Rebuilding digital infrastructure from scratch, Partial restart of 6 breweries by early October 2025, , gradual resumption of production (by 2024-10-10), prioritization of key products (Asahi Super Dry), expanded shipments from 2024-10-15, , Prioritizing shipments to larger customers, Limited production resumption, , Manual order processing (temporary workaround), phased resumption of product shipments, , Expected full system recovery by February 2024, .

Key Lessons Learned: The key lessons learned from past incidents are Unintended resilience of analog systems (e.g., fax machines) during cyberattacks,Importance of maintaining fallback operational protocols,Vulnerability of digital-only workflows to ransomware disruptions,Need for robust incident response plans to accelerate recoveryJapan's reliance on legacy systems and low digital literacy increases vulnerability to cyber-attacks.,Manual fallback processes (e.g., fax) are inefficient and disrupt modern supply chains.,Ransomware-as-a-Service (RaaS) models enable less-skilled threat actors to target large organizations.,Government intervention (e.g., ACD law) is critical but requires time to implement effectively.Legacy system integration during consolidation creates vulnerabilities; manual backup processes (e.g., fax) are insufficient for modern operations; competitor poaching of market share during downtime can have long-term brand loyalty impacts.The attack was described as 'beyond imagination' in sophistication, indicating gaps in Asahi's cybersecurity preparedness.,CEO acknowledged that existing preventive measures were insufficient against advanced threats.,Highlighted broader cultural issues in Japan regarding cybersecurity investment and prioritization.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Asahi Group Holdings Statement, and Source: Media Report (unspecified)Date Accessed: 2025-MM-DD (Tuesday morning, day after disclosure), and Source: ComparitechDate Accessed: 2025-10-07, and Source: ZeroFox Q3 2025 Ransomware Roundup, and Source: NCC Group August 2025 Ransomware Report, and Source: Reuters, and Source: eCrime.ch (cybercrime research platform), and Source: BloombergDate Accessed: 2025-10-08, and Source: The Japan TimesDate Accessed: 2025-10-04, and Source: PayPerFax Research CompilationUrl: https://payperfax.com, and Source: ABNewswireUrl: https://www.abnewswire.com/email_contact_us.php?pr=when-ransomware-hit-in-2025-japans-biggest-brewery-survived-on-fax-machines, and Source: Bloomberg, and Source: Qilin's dark web blog, and Source: Asahi Group Holdings Ltd. public statement (2024-10-09), and Source: BBC NewsUrl: https://www.bbc.com/news/articles/cpv1v5d0v1xoDate Accessed: June 2024, and Source: ReutersDate Accessed: June 2024, and Source: AFP via Getty ImagesDate Accessed: June 2024, and Source: News report (unspecified), and Source: BloombergUrl: https://www.bloomberg.comDate Accessed: 2025-11-12, and Source: Nikkei Inc., and Source: AFP (Agence France-Presse), and Source: Asahi Group Holdings public statement (September 29, 2025), and Source: Japanese media reports on Qilin's claim of responsibility, and Source: Asahi Group Holdings Official Announcement, and Source: BBC News, and Source: TechRadarUrl: https://www.techradar.com, and Source: AFP (Agence France-Presse), and Source: Japanese media reports (interpretation of Qilin's statement).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public statement issued (apology to customers/partners), Public Disclosure Via Spokesperson Statement, Declined To Comment On Extortion Details, Public Disclosure Via Media (E.G., The Japan Times), Customer Advisories On Potential Shortages, Public Statement On 2024-10-09 (Wednesday), Spokesperson Updates, No Details On Ransom Negotiations, Public Apology For Disruptions, Updates Via Media (No Direct Timeline Provided), Public Statement By Ceo Atsushi Katsuki, Apology For Inconvenience, Public announcement on company website, Public Press Conference By Ceo Atsushi Katsuki, Delayed Financial Disclosures With Promises Of Transparency Post-Recovery and Apologies To Customers For Inconvenience.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Public apology issued to customers and business partners, Yes (statement warning of service disruptions), Public Statements On Operational Status, Warnings To Retailers/Customers About Potential Shortages, Notifications About Order Delays, Potential Product Shortages (E.G., Super Dry Beer), , Limited Public Updates Via Spokesperson, Indirect Communication Via Retailers/Restaurants On Product Availability, , Apology Issued To Customers And Partners, No Detailed Advisory On Mitigation Steps, Warnings Of Product Shortages From Asahi And Convenience Store Chains (Familymart, 7-Eleven, Lawson), , Delay In Financial Results Announcement, Phased Resumption Of Shipments, Apology For Inconvenience, Request For Understanding During Recovery, , Public announcement acknowledging potential exposure of 1.825 million records, Delayed Financial Results Will Be Disclosed Once Systems Are Restored., Gradual Resumption Of Production And Shipments In Progress., Apology For Inconvenience Caused By Supply Disruptions., Assurance That Production Is Resuming In Stages. and .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: System Rebuild From Scratch, Partial Restoration Of Brewery Operations (6/30 Factories By Early October), Continued Reliance On Analog Systems (Fax/Paper) During Recovery, , Japanese Government'S Active Cyber Defense Law (Acd) Empowers Proactive Measures (E.G., Neutralizing Attacker Servers)., Asahi Likely Reviewing It Infrastructure Modernization And Cybersecurity Investments., Convenience Store Chains Diversifying Suppliers To Mitigate Single-Point Failures., .

Ransom Payment History: The company has Paid ransoms in the past.

Last Attacking Group: The attacking group in the last incident were an Qilin ransomware group, Qilin (Ransomware-as-a-Service group), Qilin Ransomware Group, Qilin (Russian-speaking hacker group), Qilin Ransomware Group, Qilin, Qilin (suspected, Russia-based), Qilin Ransomware Group and Qilin (suspected Russian-based hacker group).

Most Recent Incident Detected: The most recent incident detected was on 2024-09-29.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-09-29.

Most Recent Incident Resolved: The most recent incident resolved was on 2024-10-02.

Highest Financial Loss: The highest financial loss from an incident was Projected ¥15 billion core operating loss for Q4; full-year guidance expected to miss by 13%; higher marketing costs to win back customers.

Most Significant Data Compromised: The most significant data compromised in an incident were None confirmed (as per Asahi's statement), employee personal details, financial documents, budgets, contracts, plans, development forecasts, Type: ['internal documents', 'corporate data'], Volume: 27 GB (9,300+ files), , Type: ['internal documents', 'corporate data'], Volume: 27 GB (9,300+ files), , financial documents, contracts, development forecasts, employees' personal information, , , and .

Most Significant System Affected: The most significant system affected in an incident were Order and shipment systems (group companies in Japan)Call center operationsCustomer service desks and serversorder and shipment systemscall center operations and beer production plants (6 locations in Japan) and All computer systems30 factoriesDigital order processingSupply chain management and production systemsdistribution networksorder processing and Production Systems (30 factories, including 6 breweries)Order Processing SystemsShipment Logistics SystemsCommunication Systems (reverted to fax) and and Order and shipment processing systemFinancial data accessSupply chain operations and financial reporting systemssupply chain/logistics systems and Servers in the data centerCompany-issued PCs and Corporate IT systemsFinancial reporting systemsOrder processing systems.

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Isolation of infected systemsDisconnection of digital networks, isolation of affected systemsmanual order processing, Partial reopening of factoriesIsolation of affected systems (likely), Reversion to manual order processing (phone, fax, in-person), system isolationrestoration efforts and Isolation of affected systemsManual order processing to mitigate supply chain disruptions.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were contracts, development forecasts, budgets, employees' personal information, None confirmed (as per Asahi's statement), plans, financial documents and employee personal details.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 3.7M.

Highest Ransom Paid: The highest ransom paid in a ransomware incident was Unclear (no confirmation of payment or refusal).

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Highlighted broader cultural issues in Japan regarding cybersecurity investment and prioritization.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Enhance threat detection and response capabilities for sophisticated attacks., Implement hybrid (digital + analog) backup systems for critical operations, Accelerate digital transformation to replace legacy systems in Japanese businesses., Improve incident response planning to minimize operational downtime., Conduct regular security audits and red-team exercises to test defenses., Develop and test manual fallback procedures for cyber incident scenarios, Evaluate legacy system retention as a potential resilience measure, Prioritize supply chain resilience in cybersecurity strategies., Enhance employee training on phishing/malicious file risks, Implement robust incident response plans with automated fallback systems (not manual)., Increase cybersecurity investments without solely focusing on ROI justification., Enhance public-private collaboration for threat intelligence sharing under ACD law., Invest in network segmentation to limit ransomware spread and Invest in cybersecurity training and hiring to address the shortage of professionals..

Most Recent Source: The most recent source of information about an incident are Japanese media reports on Qilin's claim of responsibility, Asahi Group Holdings Official Announcement, Asahi Group Holdings public statement (September 29, 2025), TechRadar, Comparitech, The Japan Times, NCC Group August 2025 Ransomware Report, PayPerFax Research Compilation, Media Report (unspecified), Qilin's dark web blog, Nikkei Inc., ZeroFox Q3 2025 Ransomware Roundup, Reuters, Asahi Group Holdings Ltd. public statement (2024-10-09), eCrime.ch (cybercrime research platform), Bloomberg, AFP via Getty Images, News report (unspecified), BBC News, AFP (Agence France-Presse), Japanese media reports (interpretation of Qilin's statement), ABNewswire and Asahi Group Holdings Statement.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://payperfax.com, https://www.abnewswire.com/email_contact_us.php?pr=when-ransomware-hit-in-2025-japans-biggest-brewery-survived-on-fax-machines, https://www.bbc.com/news/articles/cpv1v5d0v1xo, https://www.bloomberg.com, https://www.techradar.com .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Active (cause under investigation).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Public apology issued to customers and business partners, Public statements on operational status, Warnings to retailers/customers about potential shortages, Limited public updates via spokesperson, Apology issued to customers and partners, No detailed advisory on mitigation steps, delay in financial results announcement, phased resumption of shipments, Delayed financial results will be disclosed once systems are restored., Gradual resumption of production and shipments in progress., .

Most Recent Customer Advisory: The most recent customer advisory issued were an Yes (statement warning of service disruptions), Notifications about order delaysPotential product shortages (e.g., Super Dry beer), Indirect communication via retailers/restaurants on product availability, Warnings of product shortages from Asahi and convenience store chains (FamilyMart, 7-Eleven, Lawson), apology for inconveniencerequest for understanding during recovery, Public announcement acknowledging potential exposure of 1.825 million records and Apology for inconvenience caused by supply disruptions.Assurance that production is resuming in stages.

Most Recent Entry Point: The most recent entry point used by an initial access broker was an Equipment located at Asahi Group’s site.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Likely initial access via phishing or malicious file downloadLack of network segmentation to contain ransomware spreadOver-reliance on digital systems without tested manual fallbacks, Over-reliance on legacy IT systems with poor security controls.Insufficient cybersecurity workforce and digital literacy in business operations.Lack of preparedness for ransomware attacks (e.g., no immediate automated fallbacks).Cultural trust in systems without proportional risk management., Vulnerabilities in legacy systems during integration; lack of resilient backup systems for order processing, Insufficient cybersecurity measures against sophisticated attacks.Potential lack of network segmentation or advanced threat detection..

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was System rebuild from scratchPartial restoration of brewery operations (6/30 factories by early October)Continued reliance on analog systems (fax/paper) during recovery, Japanese government's Active Cyber Defense Law (ACD) empowers proactive measures (e.g., neutralizing attacker servers).Asahi likely reviewing IT infrastructure modernization and cybersecurity investments.Convenience store chains diversifying suppliers to mitigate single-point failures..