South Korea PIPC record fine on Coupang over unrevoked former-employee signing key

A regulatory follow-up worth a defender's attention because the root cause is mundane and universal. South Korea's Personal Information Protection Commission issued its largest-ever penalty against e-commerce platform Coupang, attributing a breach of tens of millions of customer records to a signing key that a former employee had stolen before departing and then used to harvest customer data undetected for months (The Record; daily 06-13). Key custody and anomaly detection on signing-key use are the controls that failed — and the months of undetected access is the part that turned an insider theft into a record fine.

South Korea's Personal Information Protection Commission (PIPC) issued its largest-ever data-protection penalty against e-commerce platform Coupang, attributing a breach of tens of millions of customer records to a former engineer who developed the company's alternative authentication system, retained its signing key on departure, and used forged authentication tokens to query customer delivery and account pages undetected for seven months (The Record, 2026-06-12). PIPC characterised the failure as "deficiencies in basic safety management rather than a sophisticated hacking attack": the signing key was never revoked during offboarding and no anomaly detection flagged the overseas access pattern. Coupang separately drew an evidence-obstruction finding for deleting roughly six months of web-access logs after a preservation order (BleepingComputer, 2026-06-11).

Why it matters to us: This is a clean enforcement model for "offboarding token-revocation failure → maximum regulatory exposure," and the logic transfers directly to GDPR Article 32 and nDSG Article 8. Identity teams should audit all signing keys and OAuth client secrets tied to departed staff/contractors, confirm access logs fall under legal-hold retention covering a full incident window, and add anomaly detection for credential use from unexpected geographies (T1078.004, T1550.001).

ICO fines South Staffordshire Water £963,900 over the 2022 Cl0p ZeroLogon kill-chain intrusion (daily 2026-05-12). The water-sector OES finding with the partial SIEM coverage detail (5% host-inventory coverage) is the operational lesson for any utility / critical-infrastructure operator with patchy telemetry. Regulatory significance: the ICO penalty on a critical-infrastructure operator gives Swiss BACS / EU NIS2 competent authorities a template fine-calculation for analogous deficiencies (daily 2026-05-12).

The UK Information Commissioner's Office on 2026-05-11 issued a £963,900 fine against South Staffordshire Plc and its water-supply subsidiary for the 2020–2022 intrusion. The ICO's published findings cite inadequate vulnerability management, unpatched critical systems, obsolete unsupported software (the estate still contained Windows Server 2003, EOL since July 2015), and incomplete SIEM coverage; the regulator does not name a CVE or threat actor in its public notice. The technical kill-chain detail — phishing initial access in September 2020 → CVE-2020-1472 (ZeroLogon, T1068) against two unpatched domain controllers → domain admin → ~20 months of unimpeded lateral movement → detection in July 2022 when IT performance degraded — comes from The Record's reporting, as does the Cl0p attribution. The ICO press release records that data on about 1.85 million customers (approximately 750,000 current and 1.1 million former) was held by the company, of which 633,887 individuals had data published on the dark web, and that the published dataset totalled over 4.1 TB including customer credentials, bank account/sort codes, Priority Services Register data (from which disability status can be inferred) and HR records (The Register, 2026-05-11). The fine was reduced 40% on the basis of early admission and cooperative engagement; South Staffordshire agreed not to appeal.

Why it matters to us: The ICO action is the first significant post-Cyber-Security-and-Resilience-Bill UK regulatory action against a water-sector OES, and the regulator's operational findings transfer verbatim to NIS2 Article 21 technical measures and the German KRITIS-DachG public-administration scope that came into force this spring. Concrete defender takeaway: (a) measure your actual SIEM/XDR coverage percentage by hostname inventory rather than by sensor-licence count — partial coverage on a high-value subset is materially worse than uniform sampling; (b) the ZeroLogon pivot reported by The Record is a long-tail patch-management hygiene point on domain controllers any SOC can audit against; (c) detection logic that survives this case maps to Sysmon-class auditing of DC authentication events — 4742 (account changes) and 4769 Kerberos service-ticket anomalies — after vendor disclosure of any DC-impacting CVE.

For any NIS2 / KRITIS-DachG / CER essential-entity SOC: measure SIEM / XDR coverage by hostname inventory rather than by sensor-licence count. The South Staffordshire 5% finding is what the ICO judged as inadequate for a water OES; with NIS2 transposition in force across the EU and KRITIS-DachG live in Germany, regulators are now armed with a concrete UK precedent for what "proportionate technical measures" failure looks like in court. Practical first step: pull a list of every Active Directory–joined host from AD; cross-reference against the EDR / SIEM source list; flag the delta. The delta is what the ICO would call the gap.