Japan Ransomware 2025: ASKUL & Asahi Group HD Incident Response Compared
Mar 03, 2026UP!
- Blog
- Asahi Group
- ASKUL
- BCP
- CISO
- incident response
- Japan cybersecurity
- MFA
- OT security
- personal data breach
- ransomware
- supply chain attack
- zero trust
Japan Ransomware Response 2025–2026: ASKUL vs. Asahi Group HD — What Every CISO Must Know
In the second half of 2025, two of Japan’s most prominent large enterprises became ransomware targets within weeks of each other. This analysis compares ASKUL Corporation and Asahi Group Holdings across three dimensions: intrusion vectors, recovery strategy, and governance reconstruction. The findings translate directly into actionable guidance for BCP planning and third-party vendor risk management.
Note: This comparison is not intended to rank either company’s response. It serves as a reference for understanding large-enterprise incident response standards in Japan. Differences in damage scope and system architecture must be kept in mind throughout.
1. Attack Overview and Recovery Summary
Both companies completed restoration of core services in February 2026 — roughly three weeks apart in their respective attack timelines. Recovery duration and methodology, however, diverged substantially.
| ASKUL | Asahi Group HD | |
|---|---|---|
| Business type | Highly automated e-commerce & logistics | Food & beverage manufacturing |
| Attack date | October 19, 2025 | September 29, 2025 |
| Threat actor | Multiple ransomware strains | Undisclosed (Qilin reported in media) |
| Primary intrusion vector | Contractor admin account (MFA not applied) | VPN appliance vulnerability at company site |
| Maximum impact | Complete shutdown of OT logistics automation | Broad shutdown of core & administrative systems |
| Confirmed data exposure | ~740,000 records | ~115,000 confirmed (initially feared: ~1.91M) |
| Core service restoration | February 13, 2026 | February 2026 (lead time normalized) |
| Recovery method | Full environment teardown → rebuild from zero | Healthy backup restoration + full server rebuild |
Downtime and Recovery Method: Side-by-Side
| ASKUL | Asahi Group HD | |
|---|---|---|
| Full logistics/order system outage | ~3.5 months (Oct 19 – Feb 4, new system shipments resumed) | ~2 months (manual operations + Excel; EOS resumed early Dec) |
| Business continuity during outage | Zero shipments (automation precluded manual fallback) | Manual + spreadsheet operations maintained for ~2 months |
| Governance focal point | Supply chain and third-party vendor management | Board-level oversight strengthening and org restructuring |
2. Intrusion Vectors and Breach Scope
Both companies followed the classic attack chain — credential theft → lateral movement → simultaneous ransomware deployment — but their entry points were structurally distinct. ASKUL suffered a supply chain attack via a contractor; Asahi Group HD was compromised through a vulnerability in its own VPN infrastructure. This structural difference drove divergent remediation strategies.
2-1. ASKUL: Supply Chain Attack
⚠ Supply chain attack | ⚠ MFA exception | ⚠ Backup deletion
- Attackers exploited an admin account granted to a contracted vendor, entering through an account where multi-factor authentication (MFA) had been selectively disabled.
- The ransomware simultaneously encrypted systems and deleted backup files — the primary driver of the extended recovery timeline.
- Initial intrusion is believed to have occurred months before detection, with attackers remaining dormant prior to simultaneous activation.
Key insight: The entry point was outside the perimeter. Contractor accounts with weak authentication represent the attacker’s preferred entry vector — a “perimeter externalization” risk now fully exposed.
2-2. Asahi Group HD: VPN Vulnerability
⚠ VPN appliance vulnerability | ⚠ 10-day dwell time
- Attackers entered through the company’s own VPN and inter-site network equipment, reportedly exploiting password weaknesses to gain administrator privileges.
- Notably, attackers spent approximately 10 days conducting reconnaissance during non-business hours before triggering the attack.
- Media coverage has cited Qilin as a likely threat actor, though official technical disclosure remains limited.
2-3. Breach Scope Comparison
| ASKUL | Asahi Group HD | |
|---|---|---|
| Data exposure | ~740,000 records (individuals + corporate, confirmed) | Initially feared ~1.91M → confirmed ~115,000; customer service data (1.525M) was found to be included in the feared figure |
| Data published online | Investigation ongoing | Not confirmed |
| Maximum business impact | Logistics system shutdown = zero shipments (fragility of full automation exposed) | ~300 sites suspended; sales impact (~70% in some units) persisted for several months |
3. Three Lessons Every Enterprise Must Apply Now
Cross-analysis of both incidents yields three lessons every organization should assess against its own posture immediately.
Lesson 1: One gap in your supply chain can be fatal
Asahi Group HD’s breach originated from inadequate management of its own network devices. ASKUL’s originated from a contractor’s account. Protecting your own perimeter is no longer sufficient — authentication governance must extend to all vendors.
Ask yourself: Does any partner organization have MFA exceptions on accounts that touch your systems? That exception is the attacker’s preferred entry point. Embedding security requirements into vendor contracts is now a component of legal risk management.
Lesson 2: Logistics automation amplifies cyberattack impact
Asahi Group HD maintained shipments manually during its outage. ASKUL could not: its highly automated warehouse and picking systems meant a system outage instantly translated into a physical standstill.
Digital transformation and risk management are two sides of the same coin. The more advanced your DX, the greater the physical damage from a cyber incident. BCP planning must extend IT failure scenarios into OT domains.
Lesson 3: Design for backup deletion — not just backup failure
In ASKUL’s case, attackers deleted backup files simultaneously with encryption. “We have backups” is no longer a sufficient recovery posture.
Without offline backups isolated from the network, or immutable backups that cannot be modified or deleted, the attacker holds the keys to your recovery. Backup architecture review is not a future agenda item — it is an immediate action.
4. Incident Response: Comparison of Initial and Recovery Actions
4-1. Initial Response
Both companies filed preliminary reports with Japan’s Personal Information Protection Commission (個人情報保護委員会, PPC) the day after the attack — an appropriate and timely initial action. The difference in containment speed is noteworthy.
| ASKUL | Asahi Group HD | |
|---|---|---|
| Detection to isolation | Detected same morning → isolated same day | Detected 7:00 AM → isolated 11:00 AM (~4 hours) |
| Network isolation scope | Communication severed between data center and logistics center | VPN, inter-site networks, and cloud connections cut at all ~300 sites |
| External expertise | Forensic investigation initiated Oct 20 | Multiple external specialists engaged immediately |
| PPC preliminary report | Oct 20 (next day) | Sep 30 (next day) |
Asahi Group HD’s ~4-hour delay in containment may have allowed the breach scope to expand. ASKUL’s post-detection response was markedly faster.
4-2. Containment and Investigation
ASKUL rapidly isolated infected endpoints, extracted ransomware samples, and updated EDR signatures. Key containment actions disclosed publicly include:
- Isolation of compromised systems and networks
- Quarantine of infected endpoints and servers
- Enhanced security monitoring operations
- Review of unauthorized data changes and program releases
- Timestamp anomaly checks
- Credential reset and password rotation across all accounts
- MFA applied to all admin accounts
- Ransomware sample extraction and EDR signature updates
It is worth noting that an unauthorized access incident affecting an external cloud service was identified on October 22, revealing residual gaps in the initial containment perimeter.
Asahi Group HD adopted a more aggressive containment approach — completely isolating its data center by cutting internet connectivity entirely. Business impact was severe, but lateral movement was definitively halted.
4-3. Recovery Strategy
| ASKUL | Asahi Group HD | |
|---|---|---|
| Approach | Full environment teardown; rebuilt from scratch | Restored from healthy backup; rebuilt all servers and validated integrity |
| Rationale | Backups had been encrypted and deleted; no trusted baseline existed | Backup integrity was maintained; restoration from known-good state was viable |
| Order system recovery | ~4 months for full logistics restoration | ~2 months to resume order systems |
4-4. Disclosure Practices
The two companies’ disclosure postures were markedly different. ASKUL published detailed technical updates through at least a 18th official notice, explicitly sharing information with JPCERT/CC and framing its disclosures as a contribution to industry-wide defensive capability. This level of technical transparency merits recognition as a model for sector-wide security improvement.
Asahi Group HD provided careful, precise distinctions between the initially feared data exposure figure and the ultimately confirmed scope — a meaningful communication choice given the ~1.91M vs. ~115,000 gap. Technical depth was more limited, but multiple formal PPC reports (preliminary, follow-up, confirmed, and supplemental) reflected appropriate regulatory engagement.
5. Remediation Measures and Governance Restructuring
| Dimension | Asahi Group HD | ASKUL |
|---|---|---|
| Fundamental stance | Identify and eliminate/redesign the attack path itself (VPN abolished, network rebuilt, zero-trust endpoints) | Three pillars: disclosure, security hardening, and ongoing capability maturation |
| Attack vector remediation | Full decommissioning of remote access VPN; legacy communication paths rebuilt; risky devices retired; endpoint data consolidated to cloud (no local cache) | Compromised system/network isolation; credential reset; MFA applied to admin accounts; MFA mandated for all remote access |
| Endpoint/network/system architecture | Full migration to zero-trust dedicated PCs; new secure network zones; EDR hardening across all endpoints and cloud; continuous pen testing and threat hunting | Servers and devices rebuilt in clean network environment; SaaS log monitoring; continuous EDR, email security, and network defense enhancement |
| Monitoring and detection | Security rules and operations overhauled for faster initial response; automated log analysis and containment | Enhanced SOC (24/365); improved detection capability; asset integrity monitoring |
| Identity and access management | System-wide password rotation; automated account lifecycle management to reduce human error and orphaned accounts | Credential reset; MFA on admin accounts; MFA mandated for all remote access; access log analysis |
| Infrastructure and cloud security | Tightened network access restrictions; infrastructure redesigned to prevent lateral movement; continuous cloud security posture checks with auto-remediation | SaaS log monitoring; continuous network defense updates; periodic external assessments |
| Backup and BCP | Further backup architecture strengthening; periodic recovery drills; system consolidation to improve recoverability | BCP revised to incorporate ransomware scenarios; immutable backup environment built; “safe new environment” constructed and migrated to |
| Human factors | Ongoing security training incorporating latest attack techniques | Role-based security training programs; continuous education and operational rule updates |
| Disclosure and communications | Incident timeline, root cause, remediation, and governance improvements disclosed via press releases | Disclosure treated as an independent pillar; technical detail published through 18th notice; NIST CSF-aligned report published; JPCERT/CC information sharing made explicit |
| Governance and organizational structure | Independent information security function and dedicated executive role established; Information Security Committee created; board skill matrix reviewed; internal audit and external experts integrated into oversight | “Future security strengthening” framed around maturity improvement and external assessments; specific org restructuring not yet announced; NIST CSF used to evaluate and improve controls |
6. Governance Assessment
What Both Companies Did Right
Both companies shared three critical common elements:
- No ransom payment; no negotiation with threat actors
- Transparent, ongoing public disclosure
- Early reporting to the supervisory authority (PPC)
The End of Perimeter Defense: A Shared Lesson
Asahi Group HD was entered through its VPN; ASKUL through a contractor. Perimeter defense alone is no longer adequate. The operative question is: once attackers are inside, how do you minimize damage? The answer lies in EDR deployment, multi-factor authentication, and network segmentation.
The Social Value of Disclosure
ASKUL’s choice to publish granular technical detail — through its 13th and 18th notices — including explicit information sharing with JPCERT/CC, stands out as a posture of sector-level contribution. In a landscape where most organizations disclose the minimum required, this approach represents a meaningful standard for industry-wide security improvement.
At Akasaka International Law & Accounting Office, we view the 2025 ransomware incidents at ASKUL and Asahi Group HD as a structural inflection point for how Japanese enterprises — and foreign companies operating in Japan — must approach cyber governance and vendor contract design.
In particular, the legal and regulatory exposure that arises when a third-party contractor’s account becomes the intrusion vector varies significantly depending on how vendor contracts are drafted, what security obligations are specified, and how incident notification duties are allocated between parties. Organizations that have not yet embedded explicit cybersecurity requirements into their vendor and outsourcing agreements face compounding legal risk — not only under Japan’s Act on the Protection of Personal Information (個人情報の保護に関する法律), but increasingly under industry-specific regulations and emerging cyber safety legislation.
We recommend an early compliance review before an incident occurs, rather than after.
The assumption that “we’ll deal with it if it happens” is precisely what threat actors count on. Both ASKUL and Asahi Group HD were large, sophisticated organizations — yet a single unpatched VPN appliance and one contractor account without MFA each became months-long business disruptions affecting hundreds of thousands of data subjects and costing far more in remediation than early-stage prevention would have required.
Early-stage consultation is significantly less costly than post-violation remediation. Most Japan ransomware preparedness and vendor contract compliance questions can be scoped in a single session.
We are fully available to communicate in English — from initial inquiry through to engagement. Please feel free to reach out in English at any time.
Whether your questions concern third-party security obligations under Japanese law, personal data breach notification timelines, board-level governance requirements, or BCP legal frameworks, we can help you assess your current posture and identify the gaps that matter most.
If any of the following applies to your organization,
we recommend a compliance review:
□ Your vendor and outsourcing contracts do not specify MFA or
security baseline requirements for accounts that access your systems.
□ You cannot confirm whether your backup data is stored on a
network-isolated or immutable medium that ransomware cannot reach.
□ Your BCP does not include a scenario in which your core IT
systems — including OT or logistics automation — are completely offline
for 30 days or more.
□ You are unsure of your notification obligations to Japan’s Personal
Information Protection Commission (PPC) and the timeline required
if a breach is discovered at a contracted vendor rather than internally.
□ Your board or audit committee has not reviewed your cybersecurity
governance structure or incident response policy in the past 12 months.
If one or more apply, please contact us for an initial consultation.
You are welcome to contact us via the Contact Form to discuss and for more information.