Kyushu Electric Power Co. said a missing external drive may have exposed private data tied to up to 10.9 million customer accounts after staff found a server room cabinet unlocked and the device gone on May 26 in Japan.
KEY FACTS
- Incident An external storage device used for backups went missing from a server room cabinet.
- Exposure Data on the drive included names, addresses, electricity usage data and telephone numbers.
- Scope The company said the incident affects up to 10.9 million accounts.
- Exclusions No bank account information or credit card data was stored on the device.
IT staff used the drive on April 27 because of storage capacity constraints, then stored it in a cabinet in a server room protected by multiple physical security layers. When staff returned for it nearly a month later, it could not be found.
The disclosure said the missing data also included names of retail electricity providers and other related information. The company said it has not located the device despite interviewing personnel who entered the room and conducting investigations.
A government report said Japan’s Ministry of Economy, Trade and Industry gave the firm until July 8 to report the incident details and the preventive measures taken. The matter was also reported to the Personal Information Protection Commission and other authorities.
Media reports said 57 people had access to the server room and that police were notified on June 4 after the company suspected the drive may have been removed.
WHY IT MATTERS
The case highlights the risk of physical loss as well as cyber intrusion when large amounts of customer data are moved to portable storage. It also shows how a missing device can trigger regulatory scrutiny and wide notification obligations even without financial account data.