This September, Japanese brewing giant Asahi Group Holdings disclosed a major cyberattack that "disrupted operations across multiple regions."
While headlines focused on the impact to beer production and distribution, the real story for CISOs is what this incident reveals about the hidden vulnerabilities in global enterprises.
Threat actors targeted Asahi’s IT infrastructure, forcing system shutdowns in Japan and delays in logistics and supply chain management.
Asahi is the largest brewer in Japan, but also owns global beer brands including Peroni, Pilsner Urquell, and Grolsch (alongside the UK-based brand Fullers.) It also owns Fullers in the UK, which is brewed in West London.
Recently, Asahi issued an apology to its customers and business partners in a statement: "We are actively investigating the cause and working to restore operations; however there is currently no estimated timeline for recovery," it the statement reads." The system failure is limited to our operations within Japan. None of Asahi's manufacturing operations in Europe, including its UK beer supply, are impacted by this incident."
About half of Asahi Group Holdings' sales take place in Japan. In a report last year, Asahi listed a cyberattack as among the main risks it faced in the medium to short term; it assessed that such an attack could potentially lead to an interruption of its business, create cashflow issues, and damage its brand longer-term. In the 2024 report, the company noted a number of ways in which it was responding, including assessing the maintenance of its security system.
Although no customer data was confirmed stolen at the time of disclosure, the operational impact was significant, namely resulting in:
Disrupted brewery operations
Delayed shipments to distributors and retailers
Financial risk tied to downtime and recovery costs
For an organization with annual revenues exceeding $20 billion USD, even short-term disruption translates into material losses. For CISOs and security teams, the incident demonstrates the increasing likelihood that attacks will aim to cripple operations, not simply steal data.
To place Asahi’s incident in context, here are relevant statistics from cross-industry research and OT parallels:
Statistic | Insight | Source |
62% of supply chain attacks exploit supplier vulnerabilities | Most incidents start with weak third-party security |
Average cost of a supply chain cyberattack: $4.46M | Reflects higher remediation and reputational costs |
66% of organizations experienced a supply chain attack in the past year | Supply chain compromises are now the norm, not the exception |
45% of breaches originated from third-party service providers | Vendors and partners create indirect attack paths |
80% of CISOs cite supply chain security as a top priority | Regulatory pressure and ransomware risks drive focus |
Operational Continuity Remains the Crown Jewel: Attacks that stop production can cause more damage than data theft. Secure your OT and IoT just as rigorously as your IT.
Legacy and Global Complexity Multiply Risk: Asahi’s reach across continents magnified the fallout. Global operations require global threat modelling.
Resilience is Measured Past the Initial Breach: Recovery time determines financial and reputational impact. Testing business continuity and disaster recovery plans under fire is essential.
Supply Chain = Attack Chain: From distribution partners to IoT-enabled brewing equipment, every connection is a potential entry point.
The Asahi incident underscores that, in today's modern threat landscape, cyber preparedness is a marathon, not a sprint. CISOs who guide their organizations to resilience (not just compliance) are the ones who protect both revenue and reputation.
Speak with an Account Executive
Our Penetration Security Testing methodology is derived from the SANS Pentest Methodology, the MITRE ATT&CK framework, and the NIST SP800-115 to uncover security gaps.
Download our Pentest Sourcing Guide to learn everything you need to know to successfully plan, scope, and execute your penetration testing projects.