In 2025, South Korea’s largest e-commerce company Coupang suffered a data breach traced to a single NHI lifecycle failure: a former employee retained active signing keys after leaving the company. The keys were never rotated, never revoked, and never audited. For months, they provided an access path that resulted in the exfiltration of 33.7 million customer records – names, contact details, purchase histories, and personal information. The breach was detected in November 2025, five months after initial access. Coupang was fined $409 million. The root cause was not a sophisticated attack. It was a missing offboarding step.
What Happened
Coupang is South Korea’s dominant e-commerce platform, often described as the Amazon of South Korea, with over 21 million active customers and annual revenues exceeding $24 billion. The company handles enormous volumes of customer personal data including purchase histories, delivery addresses, payment information, and contact details.
The breach was caused by signing keys held by a former employee that were never rotated or revoked following that employee’s departure from the company. The former employee retained functional credential access to Coupang systems after offboarding. That access was exploited, whether directly or through a third party, to exfiltrate customer data over a period that remained undetected for approximately five months.
The timeline:
- Mid-2025: Estimated initial access using retained signing keys
- November 2025: Coupang detects the breach
- November 2025 onwards: Investigation and remediation
- 2025-2026: Korean Personal Information Protection Commission (PIPC) investigation and enforcement
- 2026: $409 million fine imposed — one of the largest data protection penalties in South Korean history
The breach affected 33.7 million records: a significant fraction of Coupang’s active customer base. Exposed data included customer names, email addresses, phone numbers, delivery addresses, and purchase history.
How It Happened
The failure is straightforward and entirely preventable. Signing keys, cryptographic credentials used to authenticate API calls, sign transactions, or verify system identity, are non-human identities. They do not expire automatically. They do not know their owner has left the organisation. They continue to function as long as they remain valid and unrevoked, regardless of whether the human who held them still works at the company.
Coupang’s offboarding process did not include signing key rotation and revocation. When the employee departed, their human account was likely deactivated. The non-human credentials associated with that employee’s access, signing keys, API tokens, service credentials, were not treated as part of the offboarding scope. They persisted, valid and functional, for months.
This is the NHI offboarding gap. Human identity offboarding has mature processes in most organisations: accounts are deactivated, group memberships are removed, access cards are returned. Non-human identity offboarding does not have equivalent maturity. Signing keys, API tokens, OAuth grants, and service account credentials associated with a departing employee are routinely overlooked.
The five-month detection window compounds the failure. No anomaly detection identified that an account associated with a former employee was actively being used. No periodic access review flagged that the signing keys were still valid and potentially in use by someone no longer authorised to hold them.
What This Means for NHI Governance
The Coupang breach is one of the clearest case studies in the cost of NHI lifecycle management failure. Every major NHI security framework — OWASP NHI Top 10, NHIMG research, industry analyst guidance — identifies offboarding and credential rotation as foundational controls. Coupang’s $409 million fine is the direct consequence of not having those controls in place.
The NHI lifecycle failures in this breach:
- No offboarding process for non-human credentials. Signing keys, API tokens, and service credentials were not included in the employee offboarding scope. The human account was terminated; the machine credentials were not.
- No periodic rotation schedule. Signing keys that are never rotated are permanently valid unless explicitly revoked. A rotation schedule would have limited the breach window regardless of whether the offboarding step was missed.
- No audit or monitoring of signing key usage. Active use of credentials associated with a former employee account over a five-month period should be detectable. The absence of monitoring allowed the breach to continue undetected.
- No inventory of credential-to-person associations. To revoke a departing employee’s non-human credentials, an organisation needs to know which credentials are associated with which humans. If that mapping does not exist, offboarding cannot include NHI revocation.
The $409 million fine reflects the scale of data exposed and the duration of the access window. Both are directly attributable to the absence of a signing key rotation and revocation programme.
Recommendations
- Build an inventory of all non-human credentials with associated human owners. Every signing key, API token, OAuth grant, and service credential in your environment should have a documented owner. When that owner leaves, their credentials leave with them.
- Include non-human credential revocation in every employee offboarding checklist. Departing employee offboarding must include: identify all signing keys, API tokens, and service credentials associated with this individual; rotate or revoke all of them before the employee’s last day.
- Implement a rotation schedule for all long-lived credentials. Signing keys and API tokens should have a maximum validity period. Periodic rotation limits the blast radius of any undetected credential theft or orphaned access.
- Monitor signing key and API token usage for anomalous patterns. Access from unexpected IP addresses, access outside normal business hours, and access patterns inconsistent with the credential’s documented purpose should all trigger alerts.
- Audit for zombie credentials periodically. Credentials that have not been used in 90 days, credentials associated with deactivated user accounts, and credentials with no documented owner are all high-risk. They should be rotated or revoked.
- Separate credential lifecycle management from human identity management. Do not rely on HR offboarding processes to catch non-human credential revocation. Build dedicated NHI offboarding workflows that trigger automatically when human account deactivation occurs.
How NHI Mgmt Group Can Help
Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, and OAuth credentials during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organisation focused on protecting their digital assets.
Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organisation with the knowledge needed to manage and secure these non-human identities effectively.
Final Thoughts
The Coupang signing key breach cost $409 million because a non-human credential was not revoked when its human owner left the company. That is the entire story. No sophisticated attacker technique. No novel vulnerability. No complex multi-stage intrusion. A signing key that should have been rotated during employee offboarding was not, and it remained valid and exploitable for months.
The NHI lifecycle management failure that produced this breach is present in the majority of organisations today. Non-human credentials are routinely excluded from offboarding processes because those processes were designed around human accounts. The Coupang fine is the regulatory price of that exclusion. The governance fix is straightforward: every human has a set of associated non-human credentials, and when the human leaves, the credentials leave too.
