Skip to main content

Economic Insights

February 10, 2026

    

What spending data tells us about cyberattacks

The Mastercard Economics Institute researched the economic implications of cybercrime.

Abstract image of lines of code connected by points of light.

Johan Gerber

Executive Vice President,

Security Solutions,

Mastercard

   

Michelle Meyer

Chief Economist,

Mastercard Economics Institute

Asahi Group, maker of Japan’s best-selling beer, was struck by a cyberattack last fall that was so severe the company had to shut down many computer systems and fill orders using pen, paper and fax machines. The disruption cascaded to Asahi’s supply chain, bars and restaurants, and consumers.

This attack is representative of the new face of cybercrime, with digital assaults inflicting broader economic damage and causing greater global losses each year. This trend is creating a stronger connection between cyberattacks and the global economy, with a growing body of research showing that when markets and businesses fail to prioritize their cyber protections, economic growth can suffer.

The more policymakers and business leaders can understand the economic implications of cyberattacks, the more effectively they can prevent them from happening – for instance, if AI-powered phishing is causing the most financial harm, they can prioritize their investments and consumer education there. To support this research, economists at the Mastercard Economics Institute analyzed both the Asahi cyberattack as well as a cyberattack on the Colonial Pipeline a few years ago, as part of our ongoing research into the economics of cybersecurity and cybercrime.

Our review of aggregated and anonymized Mastercard spending data showed a similar pattern of distortion to buying patterns, with evidence of stockpiling in the face of supply disruptions. These two case studies highlight how attacks that impact supply chains expose their fragility and interconnected nature, showing that the effects can go far beyond financial losses for a single business targeted in an attack. Instead, these attacks can result in major impacts for millions of consumers and thousands of businesses, with some disruptions persisting for several months.

 

Case studies of Asahi and Colonial Pipeline attacks

The Mastercard Economics Institute team, led by our colleague Shubham Chauhan, completed in-depth analyses of these two major cyberattacks. The Mastercard Economics Institute reviewed historic transaction data processed on the Mastercard network following each attack to gain insights on their aftereffects and impact on consumers.

In the first case study, we analyzed the September 29, 2025, cyberattack on Asahi Group. Cybercriminals caused a system failure for the company, forcing it to stop production at most of its 30 factories in Japan and suspend orders, shipments and call center operations in the country.

As restaurants, bars and stores struggled to restock Asahi beer, we observed a large, sustained spike in spending at beer and liquor stores in Japan in the first 10 days of October, as news of the cyberattack caused consumers to stockpile Asahi beer, thus exacerbating shortages.

In beer and liquor stores in Japan over those 10 days, we saw a 57% rise in sales from a year earlier. Comparatively, sales rose by only 3% during the same 10-day period in 2024 versus the year prior.

     

Asahi Group ransomware attack

The late September 2025 ransomware attack on Japanese beverage maker Asahi cripped its operations and led to a spike in sales at beer and liquor stores. 

Infographic showing year over year growth in spending at liquor stores.

    

In the second case study, we researched the Colonial Pipeline attack, a ransomware breach on May 7, 2021, that shut down Colonial’s operations and disrupted nearly 45% of fuel supplies on the East Coast of the U.S.

In a similar pattern to the Asahi attack, news of the supply disruption triggered a surge in fuel purchases along the East Coast by May 10. The Mastercard Economics Institute found that the data revealed a 17% increase in spending per card in impacted states versus a 5% increase in other states. Additionally, we found a 14% rise in the average transaction size of fuel purchases, reflecting both stockpiling by consumers and price spikes amid the growing demand.

By May 12, our research identified widespread fuel shortages across the impacted states, caused by both supply disruptions and the higher demand, with supplies eventually normalizing two days later.

     

The Colonial Pipeline cyberattack timeline

Panic buying in the Eastern U.S. ensued in the first days after the ransomware attack on May 7, 2021, followed by fuel shortages. The bar below shows the total spend index per postal code indexed to the 2021 fiscal year average, with red signifying lower than average spend and green signifying higher than average spend. 

Decorative
Map of the Eastern U.S. showing panic buying after Colonial Pipeline attack.

    

The rise of larger scale cyberattacks

The potential for these types of large-scale attacks has only grown. Cybercriminals have professionalized their operations and have increasingly targeted critical infrastructure and key business operations to maximize their chances of receiving large payments for stolen data or frozen systems. To that end, some of the most malicious — and increasingly common — attacks are those targeting hospitals and other health care systems. These attacks can often endanger people’s lives, as emergency care is diverted to different locations and impacted hospital staffs struggle to coordinate and share critical information.

In another recent example of these large-scale breaches, Jaguar Land Rover, the largest U.K. automaker, in August 2025 suffered a cyberattack that halted its global operations for five weeks and impacted more than 5,000 suppliers. This attack was so large that it harmed the overall U.K. economy, which reportedly absorbed estimated losses of $2.5 billion.

Additionally, in 2024, software firm CDK Global shut down data centers, phones and applications following a ransomware intrusion. These mitigation measures disrupted services for approximately 15,000 car dealerships across North America. Economic consultant Anderson Economic Group estimated that CDK’s shutdown cost auto dealers more than $600 million over two weeks. CDK paid a $25 million ransom.

In all four of these cases mentioned, we can clearly see that cybercrime has grown into an economic threat to businesses, infrastructure and GDP growth. More significant attacks should be expected in the future, especially as artificial intelligence increases the sophistication and frequency of attacks.

Recommendations and next steps

As part of our research, we’ve identified two key recommendations.

First, because of how interconnected global economies have become, the response to cybercrime must be more coordinated globally and involve shared responsibility to protect data, instill trust in digital tools and support continued GDP growth. As cybercriminals continue focusing on critical business operations, industries need to build up resilience of both their cybersecurity operations and supply chains to counteract these attacks. Strong public-private partnership and information sharing across industries will support this work.

Second, our analysis underscores the need for continued research into the economics of cybercrime. Without reliable metrics, organizations and governments won't be able to make informed decisions and will instead be forced to rely on anecdotal information to determine the direction of policy and cybersecurity investments.

Securing tomorrow: Preparing for an always-on, AI-powered future

A new Mastercard white paper examines how organizations need to evolve their approaches to protect themselves, their customers and the wider ecosystem.

Learn more
A man looks down at a tablet in front of a brightly-lit building at night.