Japanese retailer Muji temporarily disabled online sales because logistics partner Askul suffered a ransomware incident that halted order acceptance and shipping — an example of third-party operational risk propagating to storefront availability.
What’s new and scope
Muji confirmed its Japan online store was taken offline on October 20–21, 2025, citing a logistics outage at Askul; Askul separately stated it suspended “order acceptance and shipping” while investigating the attack and potential data exposure. The disruption covered browsing, ordering and access to order history for Muji customers in Japan, with no confirmed data-loss details as of October 21.
Sources: BleepingComputer (Oct 20, 2025); TechRadar Pro (Oct 21, 2025); Jiji/Nippon (Oct 20, 2025); MarketScreener/Jiji (Oct 19–20, 2025).
Timeline
- Oct 19–20, 2025 (JST): Askul reports ransomware infection; suspends order intake and shipping while investigating scope and any data exposure. Source: Jiji via MarketScreener; Nippon.
- Oct 20, 2025 (JST/UTC): Muji takes Japan online store offline due to the Askul outage; customer browsing/orders/history unavailable. Source: BleepingComputer.
- Oct 21, 2025: Coverage reiterates Askul’s suspension and ongoing investigation; Muji store remains affected in Japan. Source: TechRadar Pro; Business Insurance.
Mechanics: how a supplier outage takes a store offline
Default path: Retail operations integrate storefront (product/checkout) with logistics back ends (OMS/WMS) for availability checks, order creation and shipping labels. Ransomware on the logistics side interrupts these calls, producing hard failures (timeouts/errors) or policy blocks that disable checkout.
Optional modes: Some retailers support “browse-only” or “cart hold” modes when fulfillment is unavailable; others hard-fail to prevent unshippable orders. Public reporting indicates Muji’s site entered a disabled transactions state rather than browse-only.
Key parameters: (1) API health between storefront and logistics; (2) order creation/labeling services; (3) customer account services for order history. All three appear impacted per reports that customers could not order or access histories.
Delivery/trigger
Askul cited a ransomware infection as the trigger. In these events, encryption of application servers, databases or shared storage typically forces the vendor to stop accepting jobs (orders/shipments) and disconnect integrations until systems are restored and data integrity is verified.
Evasion, risks, limitations
Evasion: Supply-chain targeting bypasses retailer perimeter controls by attacking the logistics partner directly. Risks: transaction loss; SLA penalties; brand damage; potential exposure of customer/shipping data held by the logistics provider. Limitations today: no public indicators of compromise, malware family attribution, or confirmed data exfiltration for Askul; statements emphasize ongoing investigation.
Ecosystem context
Third-party ransomware pressure is rising: industry snapshots this week note record payouts and a shift toward operationally disruptive extortion. See ExtraHop (Oct 21, 2025) and Microsoft/Petri (Oct 21, 2025).
What to watch
Official disclosures from Askul and Muji — especially breach notifications or regulator filings — will determine whether the incident was operational only or included data compromise.