Kyushu Electric Power has disclosed a major physical security incident after an external storage device containing customer information went missing from one of its subsidiaries’ server rooms.
The incident affects Kyushu Electric Power Transmission and Distribution Co., a subsidiary of Kyushu Electric Power. According to the company, the missing storage device may contain data linked to up to 10.9 million customer records.
The device was used during a backup process on April 27 due to server storage capacity issues. After the backup was completed, the storage medium was placed inside a cabinet in a server room. The company says the server room itself had multiple security controls, but the cabinet where the device was stored was not locked.
The missing device was discovered on May 26, when staff returned to prepare for another backup operation and found that it was no longer in its storage location.
The customer information stored on the device includes names, service location addresses, electricity usage data, telephone numbers, names of retail electricity providers and other related details. Kyushu Electric clarified that bank account numbers and credit card information were not stored on the missing device.
So far, the company says it has not confirmed any leakage of customer information. However, because the device contains a large amount of private data, the incident has been reported to Japan’s Personal Information Protection Commission and other relevant authorities.
Kyushu Electric said it has interviewed personnel who entered and exited the server room between April 27 and May 26 and also conducted on-site checks, but the device has not yet been found. The company is continuing its investigation, including the possibility that the device was removed without authorization.
Local reports say 57 people had access to the server room. Kyushu Electric also reportedly filed a police report on June 4, suspecting that someone may have taken the storage device.
Japan’s Ministry of Economy, Trade and Industry has asked the company to submit a full report by July 8, including details of the incident and the steps being taken to prevent similar cases in the future.
Kyushu Electric says it will continue trying to locate the missing device and will notify affected customers individually. The company also said it will review and strengthen how external storage media is managed.
The incident highlights how data security is not only about cyberattacks and malware. Even when servers are protected, weak physical controls over backup devices can expose millions of people to privacy risks.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
For large utilities and critical infrastructure providers, backup data must be handled with the same level of protection as live systems. Encryption, access control, device tracking and strict storage rules are essential to prevent sensitive customer information from being lost or stolen.
