Coupang’s large-scale data breach in South Korea has escalated into a broader geopolitical dispute, as an increasing number of U.S.-based investors initiate legal proceedings against the South Korean Government.
What began as a regulatory review into alleged data security shortcomings has evolved into a broader dispute centred on claims that the U.S.-headquartered company is being treated unfairly by Korean authorities.
Although Coupang operates primarily in South Korea, Taiwan, and Japan, and is often described as the “Amazon of South Korea,” its global headquarters are located in Seattle, Washington.
The company’s investors are now seeking international arbitration under the U.S.-Korea Free Trade Agreement. On January 23, 2026, U.S. investment firms Greenoaks and Altimeter submitted a notice to South Korea’s Ministry of Justice, asserting that they incurred losses as a result of what they described as a discriminatory investigation into the breach. The firms indicated they intend to pursue investor–state dispute settlement arbitration under the FTA framework.
South Korea’s Ministry of Justice confirmed Thursday that three additional investors — Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management — have joined the filing, alleging unlawful conduct by the Government toward the e-commerce platform.
The dispute stems from a December disclosure by Coupang that personal data belonging to nearly 34 million Korean customers had been exposed in a breach that persisted for more than five months. According to the company, the compromised information included names, email addresses, phone numbers, shipping addresses, and certain order histories.
While other high-profile technology breaches in South Korea have led to comparatively light regulatory action, Coupang has reportedly faced substantial pressure from authorities. Investors allege the Government threatened heavy fines, potential suspension of operations, and travel restrictions for executives. They also claim that officials attempted to limit public communication and mischaracterised the scale of the breach.
South Korea’s Personal Information Protection Commission stated that over 30 million Coupang accounts were exposed. However, the investors contend that only approximately 3,000 accounts were directly affected.
In December, both the South Korean Government and the PIPC indicated the severity of the incident could justify significant financial penalties. Current law caps fines at 3% of revenue—a figure that could exceed $800 million for Coupang, according to U.S. investors. Some lawmakers have proposed increasing the ceiling to 10% and applying the changes retroactively.
Although any new statute would not formally apply to Coupang because the breach occurred before the enactment of the relevant legislative changes, a Democratic Party lawmaker reportedly suggested imposing punitive fines through new legislation or a special parliamentary measure. The PIPC has supported that concept, according to local reporting. South Korean President Lee Jae Myung publicly called for strong penalties, suggesting the company had not faced sufficient consequences.
The investors’ notice characterises the Government’s actions as an “unprecedented assault” on a U.S. enterprise. The filing argues:
The Government’s unprecedented assault on a U.S. company to benefit its Korean and Chinese competitors is an egregious violation of the Treaty, principles of international law, and the historic partnership between Korea and the United States … The Government’s shocking conduct has left the U.S. investors with no choice. If the Government does not immediately cease its attacks against Coupang, fully restore the company’s ability to operate its business, and permanently end its longstanding campaign of discrimination against the company, then the U.S. investors will be forced to seek billions of dollars in damages from Korea to protect their investments in Coupang and remedy the Government’s ongoing Treaty violations, including attempted expropriation.
The filing represents a preliminary step before formal litigation. The Ministry of Justice is reviewing the submission, initiating a mandatory 90-day consultation period before arbitration proceedings may formally commence.
The investors’ complaint also points to what they describe as inconsistent enforcement practices. They cite other recent breaches in South Korea, including cases involving KakaoPay, SK Telecom, Upbit, and AliExpress.
KakaoPay reportedly transferred 54 billion customer records to Alipay Singapore but was fined roughly $10 million and issued a warning to its CEO. SK Telecom was fined $91 million following a major SIM card breach. Upbit and AliExpress also faced comparatively limited action. Investors argue that these cases stand in sharp contrast to the regulatory response to Coupang.
South Korea’s Ministry of Science and ICT announced Wednesday that the breach was carried out by a former employee who had worked on Coupang’s authentication systems and was familiar with vulnerabilities in both the authentication framework and key management system.
The ministry alleges that Coupang failed to notify the Korea Internet & Security Agency within 24 hours of discovering the breach and did not fully comply with a November 2025 data preservation order, resulting in the deletion of certain web and app access logs. Authorities have referred the matter to investigators and directed Coupang to submit a remediation plan by February 2026, with compliance oversight extending through July.
Coupang responded in a statement, saying the former employee, identified as a Chinese national, accessed data from more than 33 million accounts but retained only around 3,000 records before deleting them. The company stated that no highly sensitive information, including payment details, passwords, or government identification numbers, was accessed.
In December, Coupang also replaced CEO Park Dae-jun with Harold Rogers, the chief legal officer of its U.S. parent entity.
Adam Farrar, senior associate at the Centre for Strategic and International Studies and senior geoeconomics analyst for Asia-Pacific at Bloomberg, commented on the issue during Tuesday’s Impossible State podcast. He said the episode has evolved beyond a corporate data breach into a broader diplomatic matter between the United States and South Korea.
Farrar noted that the case reinforces wider U.S. concerns about alleged discriminatory treatment of American technology firms and could heighten trade and tariff tensions as U.S. lawmakers take greater interest.
“The massive data breach [by Coupang] led to a series of investigations in the National Assembly and some very combative back and forth with Coupang and a series of executives over the past several months,” Farrar said. “The additional dynamic here is that Coupang, while driving almost all of its earnings from Korea, is now a U.S.-based company that adds to the dynamic on both sides, impacting how they’re perceived and seen.”
He added that the situation raises larger questions about whether South Korea’s regulatory approach disproportionately affects U.S. firms. Critics have cited policies they say favour domestic competitors, including network usage fees applied to content providers like Netflix, payment system requirements affecting Apple’s App Store and Google Play, and localisation rules that restrict services such as Google Maps on national security grounds.
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
