Japanese energy firm loses drive with data of 10.9 million clients

Kyushu Electric Power Co., one of Japan's major regional utilities, suffered a physical security breach that exposed personal data belonging to 10.9 million customers. An external hard drive containing customer information went missing from company premises.

The lost drive held names, addresses, phone numbers, and customer identification numbers for millions of Kyushu Electric clients across the utility's service region in southwestern Japan. The company discovered the device missing during routine inventory checks and immediately notified affected customers and regulators.

Kyushu Electric launched an investigation to determine how the drive left the facility and whether anyone accessed its contents before discovery. The utility implemented enhanced physical security protocols at data storage locations and conducted a full audit of other sensitive devices and media.

This incident reflects a recurring vulnerability in enterprise data security. Despite advances in encryption and network protection, physical media remains a critical weak point. An unsecured external drive can bypass all perimeter defenses and expose raw customer records at scale.

For the 10.9 million affected customers, the breach creates identity theft and fraud risks. Threat actors with access to names, addresses, and customer IDs can conduct targeted phishing campaigns, impersonation attacks, or social engineering schemes against utility subscribers.

Kyushu Electric operates in a regulated industry with strict data protection requirements under Japanese law. The utility faces potential regulatory penalties and reputational damage from the incident. The company offers free credit monitoring and identity theft protection services to affected customers.

Japanese regulators oversee the utility sector and will investigate whether Kyushu Electric maintained adequate physical security controls. The case underscores why organizations handling sensitive personal data must implement strict protocols for external drives and portable storage devices, including encryption, access logs, and secure disposal procedures.