System Incident Response Examples: A Simplified Summary of Domestic and International Cases②
Introduction
Hello, this is Kagami. In this article, I have collected five recent cyberattack cases from Japan. For those who have been too busy to keep up with the latest system incident response cases, I have summarized them in a rough but easy-to-understand format. I would be grateful if you would read through to the end.
In today’s rapidly digitalizing society, cyberattacks have become a critical risk that can threaten the very survival of companies. With increasingly diverse threats such as ransomware, supply chain attacks, and insider fraud, how should organizations prepare themselves? In this article, we examine recent real-world cyberattack cases from both Japan and abroad and consider how organizations should respond.
1. Ransomware Attack on Asahi Group Holdings
Overview
On September 29, 2025, Asahi Group Holdings was hit by a ransomware attack using “Qilin.” As a result, order processing, shipping operations, and call center services across its domestic group companies were suspended, and approximately 27 GB of data was reportedly stolen.
Detailed Timeline
The attack occurred on September 29, 2025, and involved system encryption and operational shutdown typical of a ransomware attack. Traces of unauthorized data transfer were also discovered. The attack group, calling itself “Qilin,” claimed that it had stolen more than 9,300 files, totaling approximately 27 GB of data from Asahi.
Date of Occurrence
From September 29 to early October 2025, domestic order processing, shipping, and parts of production were either largely suspended or severely restricted. This disruption affected the entire supply chain and caused major issues with customer service.
Response Measures
Asahi established an emergency response task force and worked with external cybersecurity specialists to isolate affected systems. Manual order processing was implemented. The possibility of information leakage has also been raised, and investigations are ongoing.
Analysis
This case once again highlights the importance of early detection and rapid response to cyberattacks, as well as well-prepared recovery procedures. The tactic of threatening compliance violations represents a new pattern that demands even greater vigilance. Ransomware attacks now involve double extortion—not only demanding ransom but also threatening data exposure. Companies must therefore strengthen not only their data encryption measures but also their data leakage prevention strategies.
Reference:
アサヒ GHD を攻撃した Qilin ランサムウェアグループの一般的な TTP|BLOG| サイバートラスト
2. Suspension of ASKUL’s E-commerce Services
Overview
On October 19, 2025, ASKUL, a major mail-order retailer of office supplies, was hit by a cyberattack. As a result, all of its e-commerce services were suspended, and the company was forced to cancel all existing orders—an extremely unusual situation.
Detailed Timeline
The attack occurred on October 19, 2025, causing ASKUL’s EC services to shut down. MUJI and Loft, which outsource part of their distribution to ASKUL, also suspended their online sales.
Date of Occurrence
From October 19, 2025, to the present, with a prolonged recovery period.
Response Measures
ASKUL has borrowed approximately 30 engineers from its parent company, LINE Yahoo Corporation, to accelerate system analysis and recovery efforts. However, no clear timeline for service restoration has been established, and the postponement of monthly financial disclosures is also being considered.
*According to a progress report dated November 19, it was announced that website ordering services are scheduled to resume in early December.
Analysis
This case underscores the importance of strengthening security across the entire supply chain and ensuring swift response capabilities in the event of an attack. E-commerce platforms are the lifeline of modern business, and their suspension directly translates into severe revenue losses. Regular backup system maintenance and the establishment of manual fallback processes serve as critical safeguards during crises. We sincerely hope for the earliest possible full restoration of services.
References:
3. Personal Information Leak at Starbucks Coffee Japan
Overview
The system services of Blue Yonder, used by Starbucks Coffee Japan, one of the largest coffee chains in Japan, were compromised by unauthorized access. As a result, the personal information of approximately 31,500 employees was leaked. *An additional announcement on October 3 revealed that another approximately 40,700 employee IDs had also been leaked.
Detailed Timeline
Blue Yonder provides Starbucks with its “Workforce Management (WFM)” shift scheduling system, which was accessed without authorization. The leaked information included employee IDs and names but did not include customer information.
Date of Occurrence
September 19, 2025.
Response Measures
Blue Yonder has strengthened its monitoring systems and implemented the latest system patches and vulnerability countermeasures to prevent further unauthorized access. Starbucks is working closely with Blue Yonder to prevent recurrence.
Analysis
This case demonstrates that the security of third-party service providers is also a critical risk factor. It is essential to assess security across the entire supply chain and clearly define security requirements in third-party contracts. To combat supply chain attacks, organizations must incorporate security evaluation into vendor management processes and establish a framework for regular security audits.
References:
4. Personal Information Leak at Community Network Co., Ltd.
Overview
Community Network Co., Ltd., which operates CN Play Guide under the Big Holiday Group and is one of Japan’s primary ticketing service providers, announced that some of its ticketing system websites may have experienced personal data leakage due to unauthorized access.
Detailed Timeline
It is suspected that personal information related to 236,323 cases may have leaked. The information includes names, addresses, phone numbers, and email addresses.
Date of Occurrence
September 3, 2025.
Response Measures
The company is investigating the affected systems and notifying individuals whose information may have been compromised.
Analysis
Proper access control configuration and regular security audits are essential. Information leaks caused by unauthorized access are often the result of system vulnerabilities and inadequate access management. Based on the cybersecurity principle of “least privilege,” which dictates that users, programs, and systems should only possess the minimum privileges necessary to perform their tasks, strict access control combined with continuous monitoring to detect suspicious access attempts is an effective way to prevent unexpected damage escalation.
References:
不正アクセスによる個人情報流出の可能性に関するお詫びとお知らせ(2025年9月10日(水)掲載)
5. Information Leak Due to Unauthorized Access at Rachi Keiei Co., Ltd.
Overview
Rachi Keiei Co., Ltd., which operates franchise stores such as “Fresh & Wholesale Supermarkets,” disclosed that its servers were accessed without authorization by a third party, potentially resulting in the leakage of up to 450,000 records of corporate and personal information. The company operates a management consulting business and handles confidential information from many listed and small-to-medium enterprises.
Detailed Timeline
Information such as past purchasing, sales, and inventory data, as well as member and customer information, may have been leaked. However, subsequent investigations by external organizations found no evidence of actual data exfiltration, and it was concluded that no confirmed damage had occurred.
Date of Occurrence
August 18, 2025.
Response Measures
Rachi Keiei requested incident response support from an external cybersecurity firm and is identifying the scope of the impact. The company is also contacting affected customers and working on data recovery. It has announced preventive measures, including strengthening access controls, introducing multi-factor authentication, and reinforcing cybersecurity education for employees.
Analysis
This case highlights the importance of layered defense based on the assumption that “defenses will eventually be breached.” Rather than relying on a single control, it is critical to combine measures at each stage, such as perimeter defense, detection of internal reconnaissance, and prevention of data exfiltration. In addition, sensitive data should be encrypted so that even if it is leaked, it cannot be misused.
References:
Summary
The cyberattack cases introduced in this article clearly illustrate the new threats that modern enterprises are facing. Even these few examples demonstrate the wide variety of cyberattack methods in use today.
What we must learn from these cases is that a single security measure is no longer sufficient to protect organizations from today’s advanced and complex cyber threats. A layered defense strategy combining technical, human, and physical countermeasures is essential, along with well-prepared incident response plans that assume the possibility of successful attacks.
In addition to strengthening one’s own organizational defenses, it is also necessary to properly manage the security levels of suppliers and business partners. The increase in supply chain attacks proves that in today’s highly interconnected business environment, the notion that “protecting only our own company is enough” no longer holds.
Cybersecurity is not merely an IT issue—it is a management issue. Organizational leaders must recognize cyber risks as business risks, allocate appropriate resources, and foster a security-conscious culture throughout the entire organization.