Physical Theft of Backup Drive Exposes Data of 10.9 M Kyushu Electric Power Customers
What Happened – Kyushu Electric Power Co., a major regional utility in Japan, disclosed that an external backup drive containing personal information for up to 10.9 million customers was lost after the cabinet storing it was left unlocked. The drive, used to off‑load server backups on April 27, was discovered missing on May 26.
Why It Matters for TPRM –
- Physical security lapses can lead to large‑scale data exposure even without a cyber‑attack.
- Third‑party risk assessments must include verification of on‑site storage controls for vendors handling sensitive data.
- Regulatory penalties in Japan and potential civil actions can affect downstream supply‑chain partners.
Who Is Affected – Energy and utilities sector; specifically, residential and commercial electricity customers in the Kyushu region (≈10.9 M accounts).
Recommended Actions –
- Review contracts for physical‑security clauses and audit vendor storage practices.
- Require the vendor to provide evidence of enhanced access‑control procedures and regular compliance reporting.
- Update incident‑response playbooks to cover physical‑theft scenarios and notify affected parties per local regulations.
Technical Notes – The incident stemmed from a physical‑security misconfiguration: an unlocked server‑room cabinet allowed an unknown individual to remove the drive. No bank‑account or credit‑card data were stored, but names, addresses, telephone numbers, electricity usage, and retailer‑provider information were exposed. Source: BleepingComputer