The failure was physical, not digital: a backup drive stored in a server room cabinet disappeared after the cabinet was left unlocked, putting nearly the entire regional population on a single missing device.
On May 26, an IT operator at Kyushu Electric Power opened a server-room cabinet to retrieve an external backup drive and found the cabinet had been left unlocked. The drive was gone. The data on it, according to the utility's own disclosure, covered up to 10.9 million customer accounts, a figure that approaches the 12.6 million people Kyushu Electric serves across the seven prefectures of Fukuoka, Saga, Nagasaki, Kumamoto, Oita, Miyazaki, and Kagoshima, as BleepingComputer reports.
The incident, publicly disclosed around June 11, is not a cyberattack. No external intrusion has been alleged. The threat walked out the door.
The drive was a stopgap. On April 27, IT staff had used the external storage device for backup because of server storage capacity constraints, then stored it in a server-room cabinet protected by what the company described as multiple physical security layers. The same cabinet was unlocked nearly a month later when the retrieval was attempted. The missing record set, per Kyushu Electric's announcement as reported by BleepingComputer, includes customer names, addresses, electricity usage, and phone numbers. The company has explicitly said bank and credit card data was not on the drive.
The access pool is the operational story. Media reports cited by BleepingComputer put the number of people with server-room access at 57. That figure, combined with a single unlocked cabinet and a single missing drive, frames the failure as a chain-of-custody and access-control architecture problem rather than a perimeter-security one. A police report was filed on June 4 on suspicion of unauthorized removal; Kyushu Electric's own investigation is the primary source for the technical detail so far.
The regulatory peg gives the incident a forward arc. Japan's Ministry of Economy, Trade and Industry (METI) has given Kyushu Electric until July 8 to report full incident details and preventative measures, according to BleepingComputer's account. That deadline effectively converts the company's remediation plan into a public document. For other utilities, hospital operators, insurers, and government agencies that still rely on external drives for capacity-constrained backups, the next six weeks are an opportunity to audit the same three things: who has server-room access, whether backup media sits in a cabinet inside the room rather than in a segregated media safe, and whether "unlocked" is even a state the cabinet can enter.
The data scope also matters for how the exposure should be characterized. The fields on the drive are personal, but they are not financial. Names, addresses, usage, and phone numbers are enough for targeted social engineering, particularly in a region where the utility's brand and the retail-electricity relationship are household fixtures. They are not, on their own, enough for direct financial fraud. The criticism that survives a sober read is the access-control one: a near-region-sized customer base on a single device, secured by a lock that was demonstrably not the controlling control.
What remains unconfirmed is also worth naming. The company has not publicly enumerated every data field on the drive; the receipt excerpt reviewed for this piece was truncated. No independent regulator statement from Japan's Personal Information Protection Commission has been published. No third-party incident-response firm has corroborated the chain of events. The cabinet-access figure of 57, the precise chronology, and the contents of the June 4 police filing all trace to a single secondary source, BleepingComputer, working from the company's own announcement. Any operator reading this as a benchmark should treat the numbers as Kyushu Electric's stated numbers, not as adjudicated facts.
The watch items are concrete. METI's July 8 report will show whether the utility's answer is procedural (more locks, more audit logs) or architectural (offsite encrypted backups, media segregated from the systems it backs up, access-tiered server rooms). The police investigation will either narrow the access pool to a named party or expand the failure mode to "we don't know." And the rest of Japan's regional utilities, several of which face the same capacity-constrained backup choices Kyushu Electric cited as the trigger, will be reading the July 8 report the same way their customers are.