Kyushu Electric Power Transmission and Distribution, the grid subsidiary of Kyushu Electric Power, cannot account for a backup SSD that held records on 13.54 million customers. The drive was last confirmed in its storage cabinet on April 27, 2026, and was found missing on May 26 when a contractor arrived to run the next monthly backup. It has not turned up since.
The drive belonged to the subsidiary's transmission-fee billing system and its retailer-switching system. Between them, the two systems covered 10.03 million individual customers and 3.51 million corporate or institutional contracts, including data tied to street lights and traffic signals billed as commercial accounts.
| System | Corporate records | Individual records | Total records |
|---|---|---|---|
| Transmission billing system (2016-2024 data) | 3.17mn | 8.99mn | 12.16mn |
| Switching support system (2025-2026 data) | 0.26mn | 0.53mn | 0.79mn |
| Registered in both systems | 0.08mn | 0.51mn | 0.59mn |
| Total (deduplicated) | 3.51mn | 10.03mn | 13.54mn |
The data included customer names, service addresses, electricity usage, supply-point ID numbers and, for switching records, phone numbers. No bank account, credit card or email information was stored on the drive, and the company says its cybersecurity team has found no sign the SSD has surfaced on resale sites or leaked online.
How it happened is the more uncomfortable part. The subsidiary's main data-storage server was running out of space, and a hardware upgrade was not going to be ready until sometime in the 2028 fiscal year, so the company shifted to temporary SSD backups starting around December 2025 as a stopgap. The SSD was kept in a cabinet inside a server room with multiple access controls, badge checks, biometric scanning and cameras, but the cabinet itself was never locked and the drive carried no encryption or password protection. Contractor staff ran the monthly backups without company employees present, so nobody could confirm whether the cabinet had been secured after each session.
The company reported the loss to Japan's Personal Information Protection Commission on May 29 and filed a damage report with police on June 4. The police investigation is ongoing. The Ministry of Economy, Trade and Industry issued a formal report collection order on June 8, and Kyushu Electric Power Transmission and Distribution submitted its response, covering the facts, root causes and planned fixes, on July 8.
The company has identified four separate control gaps: staff treated moving data onto a portable drive as a routine technical fix rather than a data-leakage risk requiring sign-off; nobody explicitly told the contractor to lock the cabinet; the drive itself had no encryption despite the room's physical security; and oversight of the contractor's handling of the media was thin. Its fix is built around what it calls three rules: don't use external storage media by default, don't let them leave secured areas, and encrypt anything that is used so it can't be read if lost. Locked storage and mandatory encryption are already in place for other media the company still uses.
Affected customers will get individual notices, starting in early August and sent in batches because of the volume involved, with a dedicated call center opening once the mailings begin. Kyushu Electric Power says no leak of customer information has been confirmed, and it has told the market it will disclose promptly if that changes or if the incident turns out to carry a material earnings impact.
