Coupang’s massive data breach in South Korea has now become a geopolitical flashpoint as a growing number of the company’s American investors take legal action against the South Korean government.
What began as a regulatory investigation into a data security failure has expanded into a broader dispute over alleged unfair treatment of the US-headquartered company.
While Coupang – which operates in South Korea, Taiwan and Japan – is often referred to as the “Amazon of South Korea,” its worldwide headquarters is actually located in Seattle, Washington.
The company’s investors are now seeking international arbitration under the US-Korea Free Trade Agreement (FTA). On January 23, 2026, two American investment companies Greenoaks and Altimeter I gave notice With the South Korean Ministry of Justice, saying they suffered losses due to what they described as the government’s discriminatory investigation into the data breach. They said they plan to pursue Investor-State Dispute Settlement (ISDS) arbitration under the US-Korea Free Trade Agreement.
Ministry of Justice of South Korea He said on Thursday that three more investors, including Abrams Capital, Durable Capital Partners and Foxhaven Asset Management have now joined the case. They claim that the government acted illegally towards the e-commerce company.
To recap the incident: In December, Coupang disclosed that the personal information of nearly 34 million Korean customers had been leaked in a data breach that lasted more than five months. The company said the breach included customer names, email addresses, phone numbers, shipping addresses, and the history of certain orders.
While other technical violations in Korea have resulted in less severe penalties, Coupang has faced unusual government pressure. She reportedly threatened the government Huge fines, Suspension of operationsand travel ban For executives while Coupang investors claim it also sought To prevent public communications and repeatedly misrepresenting the scope of the violation.
TechCrunch event
Boston, MA
|
June 23, 2026
Korea’s Personal Information Protection Commission (PIPC) said more than 30 million Coupang accounts were exposed – but the facts are only 3,000 accounts are affected, according to Coupang investors.
In December, the South Korean government and Bebek said The Coupang violation was serious enough to warrant higher fines. Under current law, penalties are capped at 3% of revenue, more than $800 million for Coupang, according to US investors, but some lawmakers have proposed raising the cap to 10% and applying it retroactively.
Even if the new law is passed, it will not apply to Coupang, because the violation occurred before the rules were changed. But one of the country’s Democratic Party lawmakers has proposed imposing punitive fines, either through new legislation or a special act of parliament, and the PIPC has backed the idea. According to news reports. And South Korean President Lee Jae-myung as well in public He called for severe penaltiesWhich indicates that the company did not face enough consequences.
Based on Notice of filing of intent Legal counsel for investors issued a report in which investors say the South Korean government’s actions constitute an “unprecedented attack” on Coupang. They say in the recording:
The government’s unprecedented assault on an American company on behalf of its Korean and Chinese competitors is a flagrant violation of the treaty, the principles of international law, and the historic partnership between Korea and the United States… The government’s shocking behavior has left American investors no choice. If the government does not immediately cease its attacks against Coupang, fully restore the company’s ability to conduct its business, and permanently end its long-standing discriminatory campaign against the company, American investors will be forced to seek billions of dollars in damages from Korea to protect their investments in Coupang and address the government’s ongoing violations of the treaty, including attempted expropriation.
Filing is an initial step before litigation. South Korea Ministry of Justice He is now reviewing the Notice of Intent, which begins Mandatory consultation period of 90 days Before the formal arbitration begins.
Coupang, Abrams Capital and Foxhaven Asset Management did not respond to TechCrunch’s request for comment. No access to permanent capital partners.
According to the investor filing, South Korea’s handling of data breaches has been inconsistent, specifically pointing to other recent data breaches in South Korea, including KakaoPay, SK Telecom, Upbit, and Alibaba’s AliExpress.
KakaoPay reportedly transferred 54 billion customer records to Alipay Singapore, but faced a standoff A fine of only $10 million And the CEO’s warning, while SK Telecom was fined $91 million After a major SIM card breach. Obit and AliExpress It also saw minimal government action. Investors say these examples highlight the stark contrast to the government’s response to Coupang.
South Korea’s Ministry of Science, ICT, and Communications said on Wednesday that the Coupang data breach was carried out by a former employee who worked on the company’s authentication systems and was aware of vulnerabilities in both the authentication framework and key management system.
The ministry alleges that Coupang failed to notify the Korea Internet and Security Agency (KISA) of the breach within 24 hours and did not fully implement a data preservation order issued in November 2025, resulting in the deletion of key web and app access logs. The ministry referred the matter to investigators and ordered Coupang to submit a prevention plan by February 2026, with compliance monitored until July.
Coupang Issue a statementSaying that the employee, a Chinese citizen, had access to data from more than 33 million accounts but only kept about 3,000 accounts before deleting them, and no sensitive information such as payment data, passwords or government IDs was accessed.
Coupang also replaced its CEO, Park Dae-jun, with Harold Rogers, the parent company’s top lawyer in the United States, in December.
said Adam Farrar, a senior fellow at CSIS and senior Asia-Pacific geoeconomics analyst at Bloomberg Tuesday’s Impossible State Podcast What started as a major data breach related to Coupang has evolved into a broader problem between the United States and South Korea.
Farrar said the case amplifies broader U.S. allegations of unfair treatment toward U.S. technology companies, raising trade and tariff risks for South Korea. US Congress He becomes increasingly involved.
“Massive data breach [by Coupang] “This has led to a series of investigations in the National Assembly and some very combative ones into Coupang and a series of executives over the last few months. The additional dynamic here is that Coupang, while driving almost all of its profits from Korea, is now a US-based company which adds to the dynamic on both sides, affecting how they are both viewed and seen,” Farrar said on the podcast.
Farrar continued that the issue extends beyond Coupang, raising broader questions about whether South Korea is unfairly targeting American companies.
Critics point to digital policies they say favor local businesses, including network usage fees on content providers like Netflix and Apple’s App Store, Google Play’s payment rules, and data localization requirements that limit services like Google Maps on national security grounds.
