Kyushu Electric subsidiary loses an unencrypted SSD with 10.9 million customer records — reportedly Japan's largest personal-data breach
From CTI Daily Brief — 2026-06-14 · published 2026-06-14 · view item permalink →
Kyushu Electric Power Transmission and Distribution disclosed on 8 June that a palm-sized portable SSD holding personal records for roughly 10.9 million customers went missing from a restricted server room; a contractor had backed up data to the drive on 27 April and stored it in a cabinet that was found unlocked and empty on 26 May (BleepingComputer, 2026-06-11). The drive held names, service addresses, phone numbers, electricity-usage data and retail-supplier names — all stored unencrypted and without password protection; no financial data was included (TechTimes, 2026-06-12). Kyushu Electric notified Japan's Personal Information Protection Commission and METI, which set an 8 July deadline for a full account.
Defender takeaway: This is a pure physical-media-control failure, the kind of exposure EU operators owe under NIS2 Article 21(2)(h). Audit whether backup media that leaves a server room is encrypted at rest with hardware-enforced AES, asset-tagged and access-logged — a single unlocked cabinet here produced a regulatory incident and total exposure with no remote attacker involved.