South Korea fines Coupang a record ₩624.7 bn over an unrevoked signing key held by a former employee

South Korea's Personal Information Protection Commission (PIPC) issued its largest-ever data-protection penalty against e-commerce platform Coupang, attributing a breach of tens of millions of customer records to a former engineer who developed the company's alternative authentication system, retained its signing key on departure, and used forged authentication tokens to query customer delivery and account pages undetected for seven months (The Record, 2026-06-12). PIPC characterised the failure as "deficiencies in basic safety management rather than a sophisticated hacking attack": the signing key was never revoked during offboarding and no anomaly detection flagged the overseas access pattern. Coupang separately drew an evidence-obstruction finding for deleting roughly six months of web-access logs after a preservation order (BleepingComputer, 2026-06-11).

Why it matters to us: This is a clean enforcement model for "offboarding token-revocation failure → maximum regulatory exposure," and the logic transfers directly to GDPR Article 32 and nDSG Article 8. Identity teams should audit all signing keys and OAuth client secrets tied to departed staff/contractors, confirm access logs fall under legal-hold retention covering a full incident window, and add anomaly detection for credential use from unexpected geographies (T1078.004, T1550.001).