Global Beverage Giant Hit by Major Ransomware Attack

Japanese beverage conglomerate Asahi Group Holdings announced on Thursday, November 27, 2025, that a severe ransomware attack in September may have exposed the personal information of up to two million customers, employees, and business contacts. The attack, which crippled the company’s domestic operations, has forced a delay in the release of its full-year financial results and underscores the escalating threat of cybercrime to global corporations.

In a press conference held in Tokyo, Asahi President Atsushi Katsuki acknowledged the company's cybersecurity “weakness” and apologized for the disruption. The breach was first detected on Thursday, September 29, 2025, when a disruption was identified at one of the company's data centres. Subsequent investigations revealed that attackers had infiltrated the network, encrypted data, and deployed ransomware. The Russia-based hacking group Qilin claimed responsibility for the attack on October 7, 2025. Asahi confirmed that no ransom has been paid.

Scope of the Data Breach

The potentially compromised data includes sensitive personal information of approximately 1.52 million customers, such as names, gender, addresses, and contact information. Additionally, the data of about 107,000 current and former employees, 168,000 of their family members, and 114,000 external contacts may have been accessed. Asahi has stated that financial details, such as credit card information, were not compromised in the breach. The company has begun the process of notifying individuals who may be at risk.

The cyber-attack had a significant impact on Asahi's operations within Japan, forcing employees to take orders manually using pen and paper and leading to shortages of popular products like Asahi Super Dry beer across the country. While production at domestic factories resumed in early October, the company's logistics and ordering systems are not expected to be fully restored until February 2026. Asahi has confirmed that the impact of the attack is limited to its systems in Japan, with no effect on its international brands such as Peroni or Fuller's Brewery.

The Kenyan Context: A Sobering Reminder

While Asahi does not have a regional headquarters in East Africa, its products are available in Kenya through various importers and online retailers. The incident serves as a powerful cautionary tale for the Kenyan market, which is facing an unprecedented wave of cyber threats. According to the Communications Authority of Kenya (CA), the country detected a staggering 2.5 billion cyber threat events between January and March 2025, a 201.7% increase from the previous quarter. System vulnerabilities were the primary driver of this surge.

Recent high-profile data breaches in Kenya, such as the one at the Business Registration Service in early 2025, have exposed the sensitive information of numerous companies and individuals, highlighting significant vulnerabilities in both public and private sector systems. Principal Secretary for Internal Security, Dr. Raymond Omollo, noted a sharp rise in ransomware, data breaches, and AI-driven scams in October 2025, stressing the need for enhanced digital literacy and cybersecurity measures.

Legal and Business Implications for Kenya

The Asahi breach reinforces the critical importance of robust data protection frameworks. Kenya's Data Protection Act of 2019, modeled after the EU's GDPR, establishes clear principles for data handling, including data minimization, security safeguards, and purpose limitation. The Act mandates that data controllers and processors register with the Office of the Data Protection Commissioner and implement stringent security measures to protect personal data.

For Kenyan businesses, the financial and reputational damage from such an attack could be catastrophic. The Asahi incident demonstrates how a single breach can lead to significant operational disruption, loss of revenue, and erosion of customer trust. As Kenyan firms increasingly digitize their operations, this global event should prompt an urgent review of their cybersecurity posture, incident response plans, and compliance with local data protection laws to mitigate the risk of a similar crisis.