Coupang’s massive data breach in South Korea has now become a geopolitical flashpoint as a growing number of the company’s U.S. investors take legal action against the South Korean government.
What began as a regulatory investigation into data security failures has expanded into a broader dispute over alleged unfair treatment of the U.S.-headquartered company.
While Coupang — which operates in South Korea, Taiwan, and Japan — is often referred to as the “Amazon of South Korea,” its worldwide headquarters are actually in Seattle, Washington.
The company’s investors are now seeking international arbitration under the U.S.-Korea Free Trade Agreement (FTA). On January 23, 2026, U.S. investment firms Greenoaks and Altimeter filed a notice with South Korea’s Ministry of Justice, saying they suffered losses from what they characterized as the government’s discriminatory investigation into the data breach. They said they plan to pursue investor–state dispute settlement (ISDS) arbitration under the U.S.-Korea FTA.
South Korea’s Ministry of Justice said Thursday that three more investors, including Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management have now joined the case. They are alleging the government acted unlawfully toward the e-commerce company.
To recap the incident: In December, Coupang disclosed that nearly 34 million Korean customers’ personal information had been leaked in a data breach that had been going on for more than five months. The breach involved customer names, email addresses, phone numbers, shipping addresses, and certain order histories, the company said.
While other tech breaches in Korea resulted in less severe penalties, Coupang has faced extraordinary government pressure. The government reportedly threatened massive fines, suspension of operations, and travel bans for executives while Coupang’s investors allege it also sought to block public communication and repeatedly misrepresented the scope of the breach.
Techcrunch event
Boston, MA
|
June 23, 2026
Korea’s Personal Information Protection Commission (PIPC) said that more than 30 million Coupang accounts were exposed — but the facts point to just 3,000 affected accounts, according to Coupang’s investors.
In December, South Korea’s government and the PIPC said the Coupang breach was serious enough to justify higher fines. Under current law, penalties are capped at 3% of revenue, more than $800 million for Coupang, according to the U.S. investors, but some lawmakers have proposed raising the limit to 10% and applying it retroactively.
Even if the new law passes, it wouldn’t apply to Coupang, since the breach occurred before the rules changed. But a Democratic Party lawmaker in the country suggested imposing punitive fines, through either new legislation or a special parliamentary act, and PIPC backed the idea, per news reports. South Korean president Lee Jae Myung also publicly called for heavy penalties, suggesting the company had not faced sufficient consequences.
Based on the notice of intent filing released by the investors’ legal adviser, the investors argue that the South Korean government’s actions constitute an “unprecedented assault” on Coupang. In the filing, they argue:
The Government’s unprecedented assault on a U.S. company to benefit its Korean and Chinese competitors is an egregious violation of the Treaty, principles of international law, and the historic partnership between Korea and the United States … The Government’s shocking conduct has left the U.S. investors with no choice. If the Government does not immediately cease its attacks against Coupang, fully restore the company’s ability to operate its business, and permanently end its longstanding campaign of discrimination against the company, then the U.S. investors will be forced to seek billions of dollars in damages from Korea to protect their investments in Coupang and remedy the Government’s ongoing Treaty violations, including attempted expropriation.
The filing is a preliminary, pre-litigation step. South Korea’s Ministry of Justice is now reviewing the notice of intent, which kicks off a mandatory 90-day consultation period before formal arbitration can begin.
Coupang, Abrams Capital, and Foxhaven Asset Management did not respond to TechCrunch’s request for comment. Durable Capital Partners could not be reached.
According to the investors’ filing, South Korea’s handling of data breaches has been inconsistent, specifically citing other recent data breaches in South Korea, including KakaoPay, SK Telecom, Upbit, and Alibaba’s AliExpress.
KakaoPay reportedly transferred 54 billion customer records to Alipay Singapore, yet faced only a $10 million fine and a CEO warning, while SK Telecom was fined $91 million after a massive SIM card breach. Upbit and AliExpress also saw minimal government action. The investors say these examples underscore the stark contrast with the government’s response to Coupang.
South Korea’s Ministry of Science and ICT said Wednesday that the Coupang data breach was carried out by a former employee who had worked on the company’s authentication systems and was aware of vulnerabilities in both the authentication framework and key management system.
The Ministry alleges that Coupang failed to report the breach to the Korea Internet & Security Agency (KISA) within 24 hours and did not fully implement a November 2025 data preservation order, leading to the deletion of key web and app access logs. The ministry has referred the matter to investigators and ordered Coupang to submit a prevention plan by February 2026, with compliance monitored through July.
Coupang released a statement, saying that the employee, a Chinese national, accessed data from over 33 million accounts but retained only about 3,000 before deleting it, and that no sensitive info such as payment data, passwords, or government IDs was accessed.
Coupang also replaced its CEO, Park Dae-jun, with Harold Rogers, its U.S. parent’s top lawyer, in December.
Adam Farrar, senior associate at CSIS and senior geoeconomics analyst for APAC at Bloomberg, said on Tuesday’s Impossible State podcast that what began as a major data breach involving Coupang has grown into a broader issue between the United States and South Korea.
Farrar said that the case is amplifying broader U.S. claims of unfair treatment toward American technology firms, raising trade and tariff risks for South Korea as the U.S. Congress becomes increasingly engaged.
“The massive data breach [by Coupang] led to a series of investigations in the National Assembly and some very combative back and forth with Coupang and a series of executives over the past several months,” Farrar said in the podcast. “The additional dynamic here is that Coupang, while driving almost all of its earnings from Korea, is now a U.S.-based company that adds to the dynamic on both sides, impacting how they’re perceived and seen.”
The issue extends beyond Coupang, raising broader questions about whether South Korea is unfairly targeting U.S. companies, Farrar continued.
Critics point to digital policies they say favor domestic firms, including network usage fees on content providers like Netflix, Apple’s App Store and Google Play payment rules, and data localization requirements that limit services like Google Maps on national security grounds.
