Daily Signal Note: Identity Without Termination Authority

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ provides analyst-grade cyber intelligence used by CISOs and security leaders inside the Fortune 100. Each briefing identifies structural security failures and decision breakdowns across identity, machine trust, third-party access, and enterprise attack surfaces. This work exists to inform executive judgment, not to react to headlines.

—

Coverage includes weekly CISO intelligence, deep-dive reports, and formal decision artifacts. Individual and organizational coverage available.

Listen to the 2-minute Daily CISO Briefing on Spotify.

Signal 1: Coupang Announces $1.17B Breach Compensation. South Korea's largest online retailer will issue vouchers to 33.7 million affected customers following data breach disclosed November 18, 2025. Breach traced to former employee in IT/authentication management who retained access credentials after 2024 departure. Data from approximately 3,000 accounts confirmed stored on suspect's recovered hard drives. CEO Park Dae-jun resigned. US securities class action filed December 27 (Barry v. Coupang, S.D. Fla.) alleging delayed disclosure.

Signal 2: Two US Cybersecurity Professionals Plead Guilty to BlackCat Ransomware Attacks. Ryan Goldberg, 40, former Sygnia incident response manager, and Kevin Martin, 36, former DigitalMint ransomware threat negotiator, pleaded guilty December 30 in S.D. Florida. Deployed ALPHV BlackCat ransomware against five US companies between May and November 2023. Extorted approximately $1.2 million in Bitcoin from one victim. Paid 20% affiliate fee to ransomware operators. Maximum 20 years each.

Signal 3: Korean Air Employee Data Stolen via Oracle EBS Campaign. Korean Air disclosed 30,000 current and former employee records stolen from catering subsidiary KC&D. KC&D spun off and sold to private equity in 2020 but continues serving Korean Air. Incident linked to ongoing Clop exploitation of Oracle E-Business Suite zero-day (CVE-2025-61882). Approximately 500GB published on Clop leak site November 21.

Signal 4: European Space Agency Confirms Breach of External Collaborative Servers. ESA disclosed December 30 that external servers supporting unclassified collaborative engineering were compromised. Servers operate outside ESA primary corporate defenses, likely hosted by third-party collaborators. Attack vector and data exfiltrated not disclosed.

Assumption Retired. "Identity control ends at the organizational boundary." Across retail, incident response, aviation, and space research, access persisted beyond employment, divestiture, and perimeter. Identity governance failed not at login, but at termination, transfer, and trust revocation.

Insight. Modern breach economics favor insiders, former insiders, and adjacent third parties because identity outlives organizational control. When access persists without clear ownership, breaches no longer require exploitation: only patience.

Unresolved Edge. Who is accountable for identities that persist after employment ends, companies are divested, or systems sit outside formal perimeter defenses: and how is that liability documented?

Author
Daniel Michan is the founder of CybersecurityHQ, a CISO-grade intelligence platform read weekly across the Fortune 100. He analyzes identity-centric risk, machine identity failures, SaaS integration breakdowns, and emerging AI-speed threats, producing executive briefings and deep-dive research used by enterprise security leaders for decision support.