Japanese office and household goods supplier Askul Corporation has begun restoring core logistics operations following a prolonged disruption caused by a ransomware incident. The Askul cyberattack, first detected on October 19, 2025, led to system outages, operational paralysis, and the confirmed exposure of sensitive personal and business data.
After nearly two months of recovery work, Askul announced that system-based shipment operations had resumed, starting with two logistics centers located in Tokyo and neighboring Saitama Prefecture. The company said that eight additional distribution hubs will be brought back online gradually as safety assessments are completed.
Speaking to reporters at a logistics center in Tokyo’s Edogawa Ward, President and CEO Akira Yoshioka issued a formal apology. “I sincerely apologize for the trouble and concern caused to many customers,” Yoshioka said. He added that the company was committed to pursuing “a full-fledged security governance reform” in response to the incident.
Disruption to Operations and Gradual Recovery
The Askul cyberattack forced the company to suspend nearly all online services shortly after detection. Order intake and shipping operations across its ASKUL, Soloel Arena, and LOHACO platforms were halted on the afternoon of October 19, following confirmation that ransomware had encrypted internal systems. During the initial recovery phase, Askul accepted only limited orders via fax, restricting shipments to a small selection of essential items.
As system restoration progressed, the company gradually expanded order acceptance, prioritizing high-demand products such as copier paper. However, Yoshioka declined to provide a timeline for full restoration of logistics operations, stating that remaining hubs would reopen incrementally based on ongoing safety evaluations.
Confirmation of Large-Scale Data Theft
Beyond operational disruption, the Askul data breach revealed a loss of sensitive information. Askul confirmed that approximately 740,000 records were stolen during the ransomware incident, which has been linked to the RansomHouse extortion group.
According to Askul’s disclosures, the compromised data includes approximately 590,000 business customer service records and roughly 132,000 individual customer records. In addition, information related to around 15,000 business partners, such as agents, contractors, and suppliers, was affected, along with data belonging to about 2,700 executives and employees, including those at group companies.
Askul stated that detailed breakdowns of the exposed information were withheld to prevent secondary misuse. Affected customers and partners are being notified individually, and the company has reported the data breach at Askul to Japan’s Personal Information Protection Commission. Long-term monitoring measures have also been implemented to detect potential misuse of stolen data.
Importantly, Askul clarified that it does not store customer credit card information for LOHACO transactions, as payment processing is handled through an external system designed to prevent the company from accessing such data.
Attack Timeline and RansomHouse Involvement
The RansomHouse group publicly claimed responsibility for the Askul cyberattack, first disclosing the breach on October 30. Additional data leaks followed on November 10 and December 2. Askul confirmed that all published data was reviewed and analyzed by October 31, November 11, and December 9, respectively. A dedicated inquiry desk for affected individuals was established on November 4.
In its 13th official update, released on December 12, Askul provided a detailed chronology of the incident. After detecting ransomware activity on October 19, the company immediately isolated suspected infected systems, disconnected networks, strengthened monitoring, and initiated a company-wide password reset. By 2:00 p.m. that day, a formal incident response headquarters and specialized recovery teams were established.
External cybersecurity experts were engaged on October 20 to conduct forensic investigations, including log analysis and impact assessments. Despite these efforts, unauthorized access to an external cloud-based inquiry management system was identified on October 22. Password resets for major cloud services were completed by October 23, after which no further intrusions were confirmed.
Technical Findings and Root Cause Analysis
Askul’s investigation concluded that attackers likely gained initial access using stolen authentication credentials tied to an outsourced partner’s administrative account that lacked multi-factor authentication. After entering the internal network, the attackers conducted reconnaissance, collected additional credentials, disabled endpoint detection and response (EDR) tools, and moved laterally across servers.
Notably, Askul confirmed that multiple ransomware variants were deployed, including strains that evaded EDR signatures available at the time. Once sufficient privileges were obtained, attackers simultaneously encrypted data across logistics and internal systems, including backup files. This delayed recovery efforts.
The attack had a severe impact on Askul’s logistics infrastructure, which relies heavily on automated warehouses, picking systems, and integrated logistics platforms. When these systems were disabled, outbound shipments were completely halted.
Investigators also confirmed unauthorized access to an external cloud-based inquiry management system, from which data was exfiltrated and later published. Askul stated that no evidence of compromise was found in its core business systems or customer-facing platforms.
Security Reforms and Governance Changes
In response to the data breach at Askul, the company initiated sweeping security reforms aligned with the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. Enhancements include mandatory MFA for all remote access, strengthened log analysis, expanded 24/7 security monitoring, and improved asset integrity checks.
Askul has also committed to rebuilding its security governance framework by the end of the fiscal year in May 2026, focusing on enterprise risk management, clearer accountability, and stronger oversight.
The company noted that it has not contacted the attackers, negotiated, or paid any ransom, citing its responsibility to avoid encouraging criminal activity. It continues to cooperate with law enforcement, regulatory authorities, and information-sharing organizations such as JPCERT/CC.
