Kyushu Electric Power Transmission and Distribution, the grid subsidiary of Kyushu Electric Power, disclosed June 8 that an external storage device carrying personal data of up to 10.9 million customers has gone missing — nearly Kyushu’s entire residential electricity customer base.
On April 27, IT staff pulled an external drive for a routine backup after server storage hit capacity. They stored it in a server room cabinet protected by multiple physical security layers. On May 26, the cabinet was unlocked and the drive was gone.
The data on it: customer names, service addresses, electricity usage, phone numbers, and the names of contracted retail providers. No bank account or credit card data was on the device. The company confirmed it can’t locate the drive despite interviewing all 57 personnel who had server room access and conducting further investigations. No actual data leakage has been confirmed.
On June 4, the company filed a police report treating the disappearance as probable theft. Japan’s Personal Information Protection Commission has been notified under Japan’s Act on the Protection of Personal Information (APPI). METI has set a July 8 deadline for Kyushu Electric to deliver a full incident report and remediation plan.
What the incident’s mechanics tell you: the server room had multiple security layers. The cabinet inside it didn’t. Perimeter controls without matching internal controls: that’s where the data walked out. APPI mandates breach notification, but administrative fines for this class of incident don’t yet exist; Tokyo has been advancing proposals to add them, and a 10.9-million-record incident from a major utility is exactly the case that sharpens it.
Worth reading the METI report. It drops July 8.
— Rebecca Lauren