[tialaramex]

So, taking "personal" to mean specifically that they belong to an individual as opposed to a service account, yes, that definitely has happened in real security incidents with big consequences.

There's a 2008 Fedora incident of this sort, a Fedora Administrator's private key was "stolen" by bad guys and used to upload replacement packages which is well documented e.g. https://lwn.net/Articles/326170/.

I think we should assume that this has also happened plenty of times to organisations which have a default posture of not telling you about incidents at all unless required by law.