Kyushu Electric Power Transmission and Distribution Co.: Japan Data Breach: Kyushu Electric Loses Unencrypted SSD with 10.9 Million Customer Records

Kyushu Electric Power Transmission and Distribution Co.: Japan Data Breach: Kyushu Electric Loses Unencrypted SSD with 10.9 Million Customer Records

Kyushu Electric Power Data Breach Exposes 10.9 Million Customer Records in Japan’s Largest-Ever Breach

Kyushu Electric Power Transmission and Distribution Co., a subsidiary of one of Japan’s largest regional utilities, disclosed on June 8, 2026, that a palm-sized solid-state drive (SSD) containing personal data for up to 10.9 million customers had gone missing. The unencrypted and unprotected device stored in a biometrically secured server room contained sensitive information, including customer names, service addresses, telephone numbers, electricity usage data, and retail supplier details. The incident marks the largest personal data breach in Japanese history, surpassing the 7.93 million-record breach at travel company JTB in 2016.

The breach stemmed from a routine backup procedure on April 27, 2026, when a contractor copied the customer database onto the SSD due to insufficient server storage. The drive was placed in an unlocked cabinet within a server room protected by biometric access controls. When the contractor returned on May 26, the SSD was gone. Security logs revealed that 57 individuals from 10 different contracting firms had accessed the room during the 30-day window between storage and discovery. Despite a police report filed on June 4, the drive remains unrecovered, and the company has found no evidence of data leakage.

The most critical failure was the lack of encryption. Under NIST’s Special Publication 800-209, portable backup media must be encrypted to prevent unauthorized access in cases of physical loss or theft. Kyushu Electric’s oversight left the data fully exposed, turning a missing device into a major breach. The incident also highlights a broader pattern: KPMG Japan reports that subcontractors and business partners account for 10.8% of security incidents in Japanese organizations, a trend this breach exemplifies.

Unlike previous large-scale breaches in Japan such as those at JTB (2016) and Kaikatsu Club (2025) this incident involves a critical infrastructure operator. Kyushu Electric serves seven prefectures, including Fukuoka, Nagasaki, and Kumamoto, with a customer base representing 12.6 million people. While the exposed data did not include financial information, the combination of names, addresses, and electricity usage patterns creates significant risks, including targeted phishing, identity fraud, and physical security threats.

Japan’s Act on the Protection of Personal Information (APPI) requires breach notifications to regulators and affected individuals without delay. Kyushu Electric has notified the Personal Information Protection Commission and the Ministry of Economy, Trade and Industry (METI), with a full incident report due by July 8, 2026. Individual customer notifications are pending. Current penalties under APPI cap at ¥100 million ($700,000), but a 2026 amendment bill expected to pass would introduce administrative fines based on economic benefit from violations, potentially increasing financial consequences for future breaches.

The incident underscores a gap in critical infrastructure security: while cybersecurity frameworks emphasize network defenses, physical security of data storage media remains underregulated. The breach occurred despite biometric access controls, as downstream failures an unlocked cabinet and unencrypted data left the information vulnerable. The case serves as a reminder that physical security risks can be as severe as cyber threats, particularly when basic safeguards are overlooked.

Source: https://www.techtimes.com/articles/318287/20260612/japan-data-breach-kyushu-electric-loses-unencrypted-ssd-109-million-customer-records.htm

Kyuden International Corporation cybersecurity rating report: https://www.rankiteo.com/company/kyuden-international-corporation

"id": "KYU1781281967",
"linkid": "kyuden-international-corporation",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '10.9 million',
                        'industry': 'Utilities (Electricity)',
                        'location': 'Japan (seven prefectures: Fukuoka, '
                                    'Nagasaki, Kumamoto, etc.)',
                        'name': 'Kyushu Electric Power Transmission and '
                                'Distribution Co.',
                        'size': 'Large (12.6 million people served)',
                        'type': 'Critical Infrastructure Operator'}],
 'attack_vector': 'Physical Loss/Theft',
 'customer_advisories': 'Pending (expected to be issued post-regulatory '
                        'reporting)',
 'data_breach': {'data_encryption': 'None (unencrypted SSD)',
                 'data_exfiltration': 'No evidence of data leakage',
                 'number_of_records_exposed': '10.9 million',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (personally identifiable '
                                        'information, usage patterns)',
                 'type_of_data_compromised': ['Customer names',
                                              'Service addresses',
                                              'Telephone numbers',
                                              'Electricity usage data',
                                              'Retail supplier details']},
 'date_detected': '2026-05-26',
 'date_publicly_disclosed': '2026-06-08',
 'description': 'Kyushu Electric Power Transmission and Distribution Co. '
                'disclosed that a missing unencrypted solid-state drive (SSD) '
                'containing personal data for up to 10.9 million customers had '
                'gone missing. The device stored sensitive information, '
                'including customer names, service addresses, telephone '
                'numbers, electricity usage data, and retail supplier details. '
                'The incident marks the largest personal data breach in '
                'Japanese history.',
 'impact': {'brand_reputation_impact': 'Significant',
            'data_compromised': '10.9 million customer records',
            'identity_theft_risk': 'High',
            'legal_liabilities': 'Potential fines under APPI',
            'payment_information_risk': 'None',
            'systems_affected': 'Backup storage system'},
 'investigation_status': 'Ongoing (drive unrecovered, no evidence of data '
                         'leakage)',
 'lessons_learned': 'Physical security of data storage media is as critical as '
                    'cybersecurity defenses. Unencrypted backup media and '
                    'unlocked storage cabinets pose severe risks, even in '
                    'biometrically secured environments. Subcontractors and '
                    'business partners are significant sources of security '
                    'incidents in Japan.',
 'post_incident_analysis': {'root_causes': ['Unencrypted backup media',
                                            'Unlocked storage cabinet in a '
                                            'biometrically secured room',
                                            'Insufficient server storage '
                                            'leading to use of portable SSD',
                                            'Lack of auditing for physical '
                                            'access to storage areas']},
 'recommendations': ['Enforce encryption for all portable backup media as per '
                     'NIST SP 800-209',
                     'Implement stricter physical access controls and auditing '
                     'for storage areas',
                     'Enhance third-party risk management for contractors and '
                     'subcontractors',
                     'Conduct regular security awareness training for all '
                     'personnel with access to sensitive data'],
 'references': [{'date_accessed': '2026-06-08',
                 'source': 'Kyushu Electric Power Transmission and '
                           'Distribution Co. disclosure'},
                {'source': 'KPMG Japan security incident report'},
                {'source': 'Act on the Protection of Personal Information '
                           '(APPI)'},
                {'source': 'NIST Special Publication 800-209'}],
 'regulatory_compliance': {'legal_actions': 'Potential administrative fines '
                                            '(pending 2026 APPI amendment)',
                           'regulations_violated': ['Act on the Protection of '
                                                    'Personal Information '
                                                    '(APPI)',
                                                    'NIST Special Publication '
                                                    '800-209 (encryption '
                                                    'requirements)'],
                           'regulatory_notifications': ['Personal Information '
                                                        'Protection Commission',
                                                        'Ministry of Economy, '
                                                        'Trade and Industry '
                                                        '(METI)']},
 'response': {'communication_strategy': 'Notifications to regulators (PIPC, '
                                        'METI) and pending customer '
                                        'notifications',
              'containment_measures': 'Investigation ongoing, drive remains '
                                      'unrecovered',
              'law_enforcement_notified': 'Yes (police report filed on '
                                          '2026-06-04)'},
 'stakeholder_advisories': 'Regulatory notifications submitted to PIPC and '
                           'METI. Customer notifications pending.',
 'title': 'Kyushu Electric Power Data Breach Exposes 10.9 Million Customer '
          'Records in Japan’s Largest-Ever Breach',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Unencrypted backup media, unlocked storage '
                            'cabinet'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.