Coupang's massive data breach in South Korea has become a geopolitical flashpoint, with a growing number of the company's US investors taking legal action against the South Korean government.
What began as a regulatory investigation into data security flaws has expanded into a broader dispute over alleged mistreatment of U.S.-based companies.
Coupang, which operates in South Korea, Taiwan, and Japan, is often referred to as the “Korean Amazon,” but its global headquarters are actually in Seattle, Washington.
The company's investors are currently seeking international arbitration under the Korea-US Free Trade Agreement (FTA). On January 23, 2026, US investment firms Green Oaks and Altimeter filed notices with South Korea's Ministry of Justice, claiming they suffered losses as a result of what the government called a discriminatory investigation into data breaches. They said they plan to proceed with Investor-State Dispute Settlement (ISDS) arbitration based on the Korea-US FTA.
South Korea's Ministry of Justice announced Thursday that three more investors have joined the lawsuit, including Abrams Capital, Durable Capital Partners and Foxhaven Asset Management. They allege that the government acted illegally against the e-commerce company.
To summarize the incident, Coupang disclosed in December that a data breach that had been going on for more than five months had exposed the personal information of approximately 34 million Korean customers. The company said the breach included customer names, email addresses, phone numbers, shipping addresses and certain order history.
While other technology violations in South Korea have resulted in less severe penalties, Coupang has been under extraordinary pressure from the government. The government is reportedly threatening huge fines, business suspensions and travel bans on executives, while Coupang investors claim it is cutting off public communications and attempting to misrepresent violations.
tech crunch event
Boston, Massachusetts | June 23, 2026
South Korea's Personal Information Protection Commission (PIPC) announced that more than 30 million Coupang accounts were compromised, but Coupang investors say only 3,000 accounts were affected.
The South Korean government and PIPC said in December that Coupang's violations were serious enough to warrant increased fines. Under current law, the penalty is capped at 3% of profits, or more than $800 million for Coupang, according to U.S. investors, but some lawmakers have proposed raising the cap to 10% and applying it retroactively.
Even if a new law were passed, it would not apply to Coupang because the violation occurred before the rules were changed. However, according to news reports, the country's Democratic lawmakers proposed imposing punitive fines either through new legislation or special parliamentary legislation, and PIPC supported the idea. South Korean President Lee Jae-myung also publicly called for heavy penalties and suggested the company did not face sufficient consequences.
Based on a notice of intent issued by the investors' legal advisors, the investors claim that the South Korean government's actions amount to an “unprecedented attack” on Coupang. In their submission, they claim:
“The government's unprecedented attack on a U.S. company to benefit Korean and Chinese competitors is a gross violation of treaties, principles of international law, and the historic partnership between Korea and the United States.…The government's shocking actions have left American investors with no choice. Unless the company immediately ceases its attacks, fully restores the company's ability to operate, and permanently ends its long-standing campaign of discrimination against the company, U.S. investors will be forced to seek billions of dollars in damages from South Korea to protect their investments in Coupang and correct the government's ongoing treaty violations, including attempted expropriation. ”
Filing is a preliminary step before litigation. South Korea's Ministry of Justice is currently considering a notice of intent to begin a mandatory 90-day consultation period before starting formal arbitration.
Coupang, Abrams Capital and Foxhaven Asset Management did not respond to TechCrunch's requests for comment. Durable Capital Partners could not be reached.
Investors' filings say South Korea's response to data breaches has been inconsistent, citing other recent data breaches in South Korea, including those involving Kakao Pay, SK Telecom, Upbit and Alibaba's AliExpress.
KakaoPay reportedly transferred 54 billion customer records to Alipay Singapore but was only fined $10 million and a warning to its CEO, while SK Telecom was fined $91 million for a massive SIM card breach. Upbit and AliExpress also saw minimal government action. Investors say these examples highlight a stark contrast with the government's response to Coupang.
South Korea's Ministry of Science, Information and Communications announced Wednesday that the Coupang data breach was carried out by a former employee who worked on the company's authentication system and was aware of vulnerabilities in both its authentication framework and key management system.
The ministry claims that key web and app access logs were deleted because Coupang did not report the breach to the Korea Internet Security Agency (KISA) within 24 hours and did not fully implement the November 2025 data retention order. The ministry referred the matter to law enforcement authorities, ordered Coupang to submit a prevention plan by February 2026, and monitored compliance until July.
Coupang said in a statement that the employee, who is Chinese, had access to data on more than 33 million accounts, but only retained about 3,000 before deletion, and did not access sensitive information such as payment data, passwords or government IDs.
Coupang also replaced CEO Park Dae-jung in December with Harold Rogers, a top lawyer at the U.S. parent company.
Adam Farrar, senior associate at CSIS and senior geoeconomics analyst for APAC at Bloomberg, said on Tuesday's “Impossible State” podcast that what started as a massive data breach involving Coupang has grown into a broader issue between the United States and South Korea.
Farrar said the case amplifies broader U.S. claims of unfair treatment of U.S. technology companies and raises trade and tariff risks for South Korea as the U.S. Congress becomes more involved.
“Massive data breach [by Coupang] “There have been a series of investigations in Congress and some very heated exchanges over the past few months with Coupang and a number of its executives. The bigger dynamic here is that while Coupang gets almost all of its revenue from South Korea, it's now a U.S.-based company, which adds to the dynamics on both sides and influences how the company is viewed and seen.”
The issue goes beyond Coupang and raises broader questions about whether South Korea is unfairly targeting U.S. companies, Farah continued.
Critics point to digital policies they say favor domestic companies, including network fees for content providers like Netflix, payment rules for Apple's App Store and Google Play, and data localization requirements that limit services like Google Maps on national security grounds.