“The company is investigating all possibilities, including unauthorized removal of the device, but it has not yet been located,” reads the bulletin from Kyushu Electric Power Co., Inc.
Timeline: April 27 backup, May 26 missing, June 4 report, July 8 deadline
According to the company, IT staff performed a routine backup on April 27 and used an external storage device because of server capacity constraints. The drive was kept in a server-room cabinet that the firm says was protected by multiple physical security layers. When staff went to retrieve the device on May 26 they found the cabinet unlocked and the drive missing. Media outlets report Kyushu Electric filed a police report on June 4, saying it suspects the drive was removed. The Ministry of Economy, Trade, and Industry (METI) has given the firm until July 8 to submit full details of the incident and the countermeasures it has taken.
Kyushu Electric Power Co., Inc.: geographic and customer scope
Kyushu Electric Power supplies electricity across Japan's Kyushu region, which the company specifies includes Fukuoka, Saga, Nagasaki, Kumamoto, Oita, Miyazaki, and Kagoshima prefectures. The region's overall population is 12.6 million; Kyushu Electric says the incident affects up to 10.9 million accounts. The firm has pledged to notify impacted customers individually.
Data on the missing drive: what was stored
The company published a list of the data that was present on the missing drive. It includes customer names; service-location addresses; electricity-usage data; telephone numbers; the names of retail electricity providers; and “other related information.” Kyushu Electric emphasized that no bank account information or credit card data was stored on the device.
Physical security, internal checks, and access
Kyushu Electric says the drive was placed in a cabinet inside a server room and that the cabinet was expected to be secured by multiple physical security layers. After discovering the drive missing on May 26, the firm interviewed all personnel who had entered the server room and conducted internal investigations but was unable to locate the device. Media reporting cites 57 people as having access to the server room. Kyushu Electric has described its posture as investigating “all possibilities, including unauthorized removal of the device.”
Regulators and law enforcement: METI and the Personal Information Protection Commission
The incident has been reported to Japan's Personal Information Protection Commission and to “the relevant government authorities,” the company said. METI has set a reporting deadline of July 8 for Kyushu Electric to provide a full account and the preventive measures it will adopt. Separately, Kyushu Electric filed a police report — according to media outlets — on June 4, citing suspicion that someone removed the drive.
What this means for customers, METI, and IT/security teams
- Customers: Kyushu Electric says it will notify impacted customers individually. The data types listed mean customers will be informed of exposure of names, addresses, telephone numbers, electricity-usage records, and their retail-provider details — but not of bank or credit-card information, which the firm states was not on the drive.
- METI and regulators: METI’s July 8 deadline requires Kyushu Electric to disclose a timeline and preventive measures to a government that has formally requested that information, and the Personal Information Protection Commission has been notified.
- IT and security teams at Kyushu Electric: the company has interviewed personnel who entered the server room and carried out internal investigations. The firm’s account cites capacity limits that prompted use of an external device, and a subsequent failure of the physical control that was supposed to secure that device.
The immediate facts are concise: an external backup taken April 27 has gone missing; it contained personal and usage data tied to as many as 10.9 million customer accounts across Kyushu; internal inquiries so far have not located the drive; and regulators and police have been notified. The next concrete milestones are Kyushu Electric’s individual customer notifications and the full report the company must submit to METI by July 8 — documents and actions that will determine how the firm explains the breakdown between intended physical security and actual control of the backup device.
