Japanese Energy Firm Loses Drive with Data of 10.9 Million Clients

Kyushu Electric Power Co., Inc., one of Japan's largest regional electric utilities serving over 12.6 million residents across the Kyushu region, has disclosed a physical security incident involving the loss of an external storage drive containing private data tied to up to 10.9 million customer accounts. According to the company's official bulletin, IT staff performed a routine server backup on April 27 using an external drive due to capacity constraints, then secured the device inside a server room cabinet protected by multiple physical security layers. When personnel returned on May 26 to retrieve it, the cabinet had been left unlocked and the drive was gone.

The missing drive contains customer names, service location addresses, electricity usage records, telephone numbers, and the names of retail electricity providers. Kyushu Electric has clarified that no bank account or credit card information was stored on the device, and the company has committed to individually notifying every affected customer. Following the discovery, the firm interviewed all 57 personnel with server room access, filed a police report on June 4, and escalated the matter to Japan's Personal Information Protection Commission and relevant government authorities. The Ministry of Economy, Trade, and Industry has given Kyushu Electric until July 8 to deliver a full account of the incident and the preventative measures being implemented.

"The company is investigating all possibilities, including unauthorized removal of the device, but it has not yet been located," the bulletin reads. While no financial credentials were exposed, the dataset still carries significant risk, including targeted phishing, social engineering against utility customers, and cross-referencing with other leaked data to build detailed personal profiles. Impacted individuals should verify whether their contact details appear in known compromises using an email breach checker, run a quick password checker to confirm their login credentials have not surfaced elsewhere, and complete a privacy checkup to harden their overall exposure. The case underscores that even organizations with layered digital defenses remain highly vulnerable when physical access controls and internal audit procedures fail.