Kyushu Electric Loses Unencrypted SSD With 10.9M Records

A palm-sized solid-state drive containing personal records for 10.9 million customers has vanished from Kyushu Electric Power Transmission and Distribution Co.—and the drive was neither encrypted nor password-protected. The incident, disclosed June 11, appears to be the largest personal data breach in Japanese history.

The missing drive holds customer names, service addresses, telephone numbers, electricity usage data, and retail electricity provider names. Anyone who finds it can read every record without any technical barriers.

Timeline of Failure

The sequence of events reveals a cascade of security gaps:

April 27, 2026: IT staff transferred customer data to an external SSD due to server capacity constraints. The drive was stored in a server room cabinet protected by what the company described as "multiple physical security layers."

May 26, 2026: Staff returned to retrieve the drive and found the cabinet unlocked. The SSD was gone.

June 4, 2026: Kyushu Electric filed a police report, suspecting intentional removal rather than misplacement.

June 11, 2026: The company publicly disclosed the incident after internal investigations failed to locate the drive.

Approximately 57 people had access to the server room. Despite interviews with all personnel, the drive remains missing.

Why No Encryption?

That question will likely dominate regulatory inquiries. The company has not explained why customer data was transferred to an unencrypted external device in the first place—a practice that violates basic data protection principles.

Modern storage encryption is built into most enterprise SSD controllers and operating systems. BitLocker on Windows, FileVault on macOS, and LUKS on Linux provide full-disk encryption with minimal performance impact. Hardware-encrypted drives meeting FIPS 140-2 standards are standard procurement options for any organization handling sensitive data.

The fact that 10.9 million records sat on unprotected storage—accessible to anyone who physically obtained the drive—suggests either a policy failure or a breakdown in policy enforcement.

Regulatory Response

Japan's Ministry of Economy, Trade, and Industry has ordered Kyushu Electric to submit a complete incident report by July 8. The company also reported the matter to Japan's Personal Information Protection Commission.

For perspective on regulatory stakes, the World Food Programme breach exposing 600,000 Gaza household records drew significant scrutiny despite affecting far fewer individuals. At 10.9 million records, Kyushu Electric faces potential penalties and mandated security improvements.

Physical Security in the Digital Age

This breach happened without a single line of malicious code. No malware was deployed. No vulnerability was exploited. Someone walked into a server room, found an unlocked cabinet, and took a drive.

Physical security incidents often receive less attention than network breaches, but they can be equally damaging. The Tchap French government breach exposed 73,000 accounts through a technical compromise, but the principle is similar: attackers target the weakest link, whether that's a misconfigured API or an unlocked cabinet.

For organizations handling large datasets, this incident highlights several imperatives:

1. Encrypt data at rest - Full-disk encryption should be mandatory for any storage device containing personal information, whether fixed or removable
2. Audit physical access controls - Locked cabinets mean nothing if keys are widely distributed or locks go unchecked
3. Minimize data portability - Question any workflow that requires copying customer data to portable media
4. Log physical access - Badge readers and cameras provide accountability that locked cabinets alone cannot

What Customers Should Do

Affected customers include nearly everyone who receives electricity service in Japan's Kyushu region. While no financial data was stored on the drive, the exposed information enables:

• Targeted phishing attacks referencing accurate service details
• Identity verification bypass using confirmed addresses and phone numbers
• Social engineering using electricity usage patterns to establish legitimacy

Kyushu Electric has not announced credit monitoring or identity protection services for affected customers. Given Japan's regulatory environment, such offerings may be mandated as part of the remediation process.

Why This Matters

Utilities collect some of the most comprehensive datasets on residential customers: names, addresses, contact information, and consumption patterns that reveal occupancy schedules and lifestyle details. When that data walks out the door on an unencrypted drive, the exposure extends beyond the immediate theft risk.

The 10.9 million figure represents nearly the entire population served by Kyushu Electric's transmission and distribution subsidiary. Every customer relationship the company has built now carries an asterisk—their data may be in unknown hands.

Japan's regulators will likely use this incident to drive stricter requirements around portable media handling and encryption mandates. For organizations elsewhere, the lesson is simpler: encrypt everything, assume physical security will fail, and design controls that maintain protection when it does.