Coupang’s massive data breach in South Korea has now become a geopolitical flashpoint, with a growing number of the company’s American investors taking legal action against the South Korean government.
What began as a regulatory investigation into data security failures has expanded into a wider controversy over alleged unfair treatment of the US-based company.
While Coupang – which operates in South Korea, Taiwan and Japan – is often referred to as the ‘Amazon of South Korea’, its global headquarters are actually in Seattle, Washington.
The company’s investors are now seeking international arbitration under the Korea-US Free Trade Agreement (KFTA). On January 23, 2026, US investment firms Greenoaks and Altimeter filed notice with South Korea’s Justice Ministry, saying they suffered losses from what they described as a biased government investigation into the data breach. They said they plan to pursue investor-state dispute settlement (ISDS) arbitration under the Korea-US FTA.
Ministry of Justice of South Korea he said On Thursday, three more investors, including Abrams Capital, Durable Capital Partners and Foxhaven Asset Management, have now joined the case. They claim the government acted illegally against the e-commerce company.
To recap: In December, Coupang revealed that nearly 34 million Koreans’ personal information had been leaked in a data breach that had been going on for more than five months. The breach involved customer names, email addresses, phone numbers, shipping addresses and some order histories, the company said.
While other tech breaches in Korea have resulted in less severe penalties, Coupang has faced extraordinary government pressure. The government reportedly threatened huge fines, work suspensionand travel bans for executives while, Coupang investors claim, trying to block public communication and misrepresenting the breach.
Techcrunch event
Boston, MA
|
June 23, 2026
The Personal Information Protection Commission of Korea (PIPC) said more than 30 million Coupang accounts were exposed — but the facts show only 3,000 accounts were affected, according to Coupang investors.
In December, the South Korean government and PIPC he said Coupang’s offense was serious enough to warrant higher fines. Under current law, penalties are capped at 3% of revenue, more than $800 million for Coupang, according to US investors, but some lawmakers have proposed raising the limit to 10% and applying it retroactively.
Even if the new law passes, it would not apply to Coupang as the breach occurred before the rules were changed. But a country Democrat MP proposed punitive fines, either through new legislation or a special act of parliament, and the PIPC backed the idea, per news reports. South Korean President Lee Jae Myung as well public care charged with heavy penaltiessuggesting that the company had not faced sufficient consequences.
Based on notice of intent to file released by the investors’ legal counsel, the investors say the South Korean government’s actions constitute an “unprecedented attack” on Coupang. In the deposition they argue:
“The administration’s unprecedented attack on an American company for the benefit of its Korean and Chinese competitors is a flagrant violation of the Treaty, the principles of international law, and the historic partnership between Korea and the United States…the administration’s shocking behavior has left US investors with no choice. long campaign of discrimination against the company, then US investors will be forced to seek billions of dollars in compensation from Korea to protect their investment in Coupang and remedy the government’s ongoing treaty violations, including the attempted expropriation.”
The deposition is a preliminary, pre-trial step. of South Korea Ministry of Justice now looks at the notice of intent, which begins mandatory 90-day consultation period before the formal arbitration begins.
Coupang, Abrams Capital and Foxhaven Asset Management did not respond to TechCrunch’s request for comment. Permanent capital partners could not be reached.
According to the investor filing, South Korea’s handling of data breaches has been inconsistent, specifically citing other recent data breaches in South Korea, including Alibaba’s KakaoPay, SK Telecom, Upbit and AliExpress.
KakaoPay reportedly transferred 54 billion customer records to Alipay Singapore, but faced only a $10 million fine and CEO warning, while SK Telecom was fined $91 million after a massive sim card breach. Upbit and AliExpress it also saw little government action. Investors say these examples underscore the sharp contrast with the government’s response to Coupang.
South Korea’s Ministry of Science and ICT said on Wednesday that the Coupang data breach was carried out by a former employee who had worked on the company’s authentication systems and was aware of vulnerabilities in both the authentication framework and the key management system.
The ministry alleges that Coupang failed to report the breach to the Korea Internet and Security Agency (KISA) within 24 hours and did not fully implement the November 2025 data retention order, resulting in the deletion of key web and application access logs. The ministry referred the matter to investigators and ordered Coupang to submit a prevention plan by February 2026, with compliance monitored by July.
Coupang issued a statementsaying the employee, a Chinese national, accessed data from more than 33 million accounts but only kept about 3,000 before deleting them, and that no sensitive information such as payment data, passwords or government IDs was accessed.
Coupang also replaced its chief executive, Dae-jun Park, with Harold Rogers, its parent’s top US lawyer, in December.
Adam Farrar, senior fellow at CSIS and senior geoeconomics analyst for APAC at Bloomberg, said in Tuesday’s Impossible State podcast that what began as a major data breach involving Coupang has evolved into a broader issue between the United States and South Korea.
Farrar said the case bolsters broader U.S. allegations of unfair treatment of American technology companies, raising trade and tariff risks for South Korea as the US Congress is more and more involved.
“The massive data breach [by Coupang] It led to a series of inquiries in the National Assembly and some very combative back and forth with Coupang and a number of executives over the last few months,” Farrar said on the podcast. “The added dynamic here is that Coupang, while driving almost all of its earnings from Korea, is now a US-based company which adds to the dynamic on both sides, affecting how they are seen.”
The issue extends beyond Coupang, raising broader questions about whether South Korea is unfairly targeting American companies, Farrar continued.
Critics point to digital policies they argue favor domestic companies, including network usage fees on content providers like Netflix, Apple’s App Store and Google Play payment rules, and data tracking requirements that restrict services like Google Maps on national security grounds.
