Kyushu Electric Power Co., Inc. has disclosed a physical security incident that affects private data of more than 10 million customers.
In an official announcement, the company explains that the IT staff regularly performs backups to manage server storage. Due to capacity constraints, on April 27 an external storage device was used for the task.
The drive was then stored in a server room cabinet protected by multiple physical security layers. On May 26, when IT staff went to retrieve it, they found the cabinet had been left unlocked and the driver was missing.
Kyushu Electric Power Company is one of Japan’s major regional electric utilities, supplying electricity across the Kyushu region, which includes the prefectures of Fukuoka, Saga, Nagasaki, Kumamoto, Oita, Miyazaki, and Kagoshima.
The overall population of the Kyushu region is 12.6 million, and the company stated that the incident impacts up to 10.9 million accounts.
The data present on the now missing drive includes:
Customer names
Service location addresses
Electricity usage data
Telephone numbers
Names of retail electricity providers
Other related information
The firm has clarified that no bank account information or credit card data was stored in the drive. It also promised to notify impacted customers individually in the upcoming period.
Since the loss of the hard drive, the firm has interviewed all personnel who entered the server room and conducted investigations, but couldn’t locate it.
Media outlets report that 57 people had access to the said server room, and that Kyushu Electric filed a police report on June 4, suspecting someone had removed the drive.
NHK One reported that the Japanese Ministry of Economy, Trade, and Industry has given the firm until July 8 to report all the details about the incident and the preventative measures taken.
“The company is investigating all possibilities, including unauthorized removal of the device, but it has not yet been located,” reads the bulletin.
The incident has been reported to Japan’s Personal Information Protection Commission and the relevant government authorities.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
