A regional Japanese utility has disclosed that a physical hard drive containing personally identifiable information on 10.9 million customer accounts has gone missing, according to an announcement from Kyushu Electric Power Co. reported by TechRadar. The incident, which came to light when IT staff attempted to retrieve the drive on May 26, 2026, highlights persistent vulnerabilities in physical data security even as enterprises focus on cyber threats.
The Incident: A Missing Drive from an Unlocked Cabinet
Kyushu Electric Power Co., one of Japan's largest regional utilities supplying electricity across the Kyushu region (population ~12.5 million), explained that IT staff regularly perform backups to manage server storage. On April 27, 2026, due to capacity constraints, an external storage device was used for a backup task, according to the company's announcement cited by TechRadar.
The drive was stored in a server room cabinet protected by multiple physical security layers, with access limited to just 57 people. However, when staff went to retrieve the drive on May 26, 2026, they found the cabinet left unlocked and the drive missing. The company filed a police report on June 4, 2026, and launched an internal investigation, including interviews with all personnel who entered the server room. “The company is investigating all possibilities, including unauthorized removal of the device, but it has not yet been located,” the announcement stated.
Data at Risk: What Was and Wasn't Exposed
The lost drive allegedly contained information on up to 10.9 million accounts, including:
- Customer names
- Electricity usage data
- Telephone numbers
Crucially, Kyushu Electric stated that no bank account information or credit card data was stored on the drive, according to TechRadar. However, the combination of names and phone numbers still poses a significant privacy and social engineering risk for affected customers.
Regulatory and Corporate Response
The incident has been reported to Japan’s Personal Information Protection Commission and relevant government authorities. Additionally, the Japanese Ministry of Economy, Trade, and Industry has given Kyushu Electric a deadline of July 8, 2026 to submit a full report detailing the incident and all preventative measures taken, TechRadar reported.
The company has apologised publicly and continues its search, but the drive remains unaccounted for.
| Event | Date | Details |
|---|---|---|
| Drive used for backup | April 27, 2026 | External storage device deployed due to capacity constraints |
| Staff find drive missing | May 26, 2026 | Cabinet found unlocked; drive gone |
| Police report filed | June 4, 2026 | Investigation launched |
| Regulatory report deadline | July 8, 2026 | Required by Ministry of Economy, Trade, and Industry |
Implications for Enterprise Technology Leaders
This incident reinforces that physical data security remains a critical control point, even as enterprises invest heavily in cybersecurity. For CTOs and digital transformation leaders, the Kyushu Electric case offers several takeaways:
- Access governance must extend to physical media. Only 57 people had access to the server room, yet a drive could be removed without detection.
- Storage capacity planning can create shadow processes. The backup was performed due to capacity constraints, suggesting inadequate asset lifecycle management.
- Inventory and tracking of removable media. Many enterprises lack automated tracking for external drives, making loss discovery slow (nearly a month in this case).
Companies handling sensitive customer data—particularly utilities, telecoms, and financial services—should review their policies for portable storage devices, including mandatory encryption, physical locks, and tamper-evident seals. The involvement of Japan’s Personal Information Protection Commission signals that regulators increasingly expect proactive physical security controls alongside cyber defenses.
As the investigation continues, the missing drive serves as a reminder that data governance must bridge the digital and physical worlds.
Sources:
