On April 27, 2026, Kyushu Electric Power Co., Inc. used an external storage device for backup due to server storage capacity constraints. The device was stored in a physically secured server room cabinet. On May 26, the cabinet was found unlocked and the drive missing. The lost drive contained private data of up to 10.9 million customers, including names, service addresses, electricity usage, telephone numbers, and electricity provider names. No financial account data was stored on the drive. The company has conducted personnel interviews, filed a police report, and notified relevant Japanese regulatory authorities. The Ministry of Economy, Trade, and Industry has requested a detailed report by July 8, 2026. The incident is classified as a physical security breach rather than a software vulnerability.

The incident results in the unauthorized loss of sensitive personal information of approximately 10.9 million customers, potentially exposing them to privacy risks such as identity theft or targeted social engineering attacks. However, no financial account or credit card data was compromised, reducing the risk of direct financial fraud. The breach affects customer confidentiality and may impact the company's reputation and regulatory compliance status.

No patch or software fix is applicable as this is a physical security incident. Kyushu Electric Power Co. has reported the incident to law enforcement and regulatory bodies and is conducting an internal investigation. The company should enhance physical security controls around sensitive data storage, enforce strict access controls, and conduct regular audits of physical security measures to prevent recurrence. Impacted customers are being notified individually as part of the response. Organizations should review and strengthen their physical security policies for backup media.