Kyushu Electric Power loses unencrypted hard drive with data of 10.9 million customers
Kyushu Electric Power Co. disclosed a physical security incident in which an unencrypted portable hard drive containing the personal data of 10.9 million customers was lost.
Kyushu Electric Power Co., Inc. has disclosed a physical security incident that affects private data of more than 10 million customers. The Japanese energy utility reported that a portable hard drive containing the personal information of approximately 10.9 million customers was lost. The drive was not encrypted, exposing names, addresses, and electricity usage details. The company stated that no third-party access or misuse has been confirmed, but the incident raises serious concerns about data protection practices in critical infrastructure sectors.
The lost hard drive contained customer data collected over an unspecified period. Kyushu Electric Power has not disclosed the exact circumstances of the loss, such as whether the drive was misplaced, stolen, or discarded improperly. The company has launched an internal investigation and notified relevant authorities, including Japan's Personal Information Protection Commission. The utility is also contacting affected customers to inform them of the breach and advise on protective measures.
The incident highlights a fundamental security failure: the lack of encryption on a portable storage device containing sensitive personal data of millions of individuals. Encryption is a basic security measure that renders data unreadable without the proper decryption key, even if the physical device is lost or stolen. The absence of such protection means that anyone who finds or has taken the drive could potentially access the data with minimal effort.
Kyushu Electric Power serves millions of households and businesses across the Kyushu region of Japan. The exposed data includes names, addresses, and electricity usage patterns, which could be used for targeted phishing attacks, identity theft, or other malicious purposes. While the company has not confirmed any misuse, the risk remains significant given the volume and sensitivity of the data.
The incident is reminiscent of similar physical security breaches in other sectors, where unencrypted laptops, USB drives, or backup tapes have been lost or stolen, leading to massive data exposures. In 2023, for example, a contractor for the U.S. Department of Veterans Affairs lost an unencrypted laptop containing data of over 46,000 veterans. Such incidents underscore the importance of encryption as a standard practice for any portable storage device containing personal data.
Kyushu Electric Power has apologized for the incident and stated that it will implement additional security measures to prevent a recurrence. The company is also reviewing its data handling policies and considering the use of encrypted storage devices and stricter access controls. However, the damage to customer trust may be lasting, particularly given the utility's role in providing essential services.
The incident also raises questions about regulatory oversight in Japan. While the country has data protection laws, including the Act on the Protection of Personal Information, enforcement and penalties for breaches have historically been less stringent than in other jurisdictions, such as the European Union under GDPR. This incident may prompt calls for stronger enforcement and clearer requirements for encryption of personal data.
As the investigation continues, affected customers are advised to monitor their accounts for suspicious activity and be cautious of unsolicited communications that may attempt to exploit the exposed information. Kyushu Electric Power has set up a dedicated helpline and website for customers seeking more information about the breach and steps they can take to protect themselves.