Several American investors have sued the South Korean government for its handling of the Coupang data breach
Coupang’s massive data breach in South Korea has now become a political arena as a growing number of the company’s US investors are taking legal action against the South Korean government.
What began as a regulatory investigation into data security failures has escalated into a wider controversy over alleged mismanagement at the company’s US headquarters.
While Coupang — which operates in South Korea, Taiwan, and Japan — is often referred to as the “Amazon of South Korea,” its global headquarters is in Seattle, Washington.
The company’s investors are now seeking international arbitration under the US-Korea Free Trade Agreement (FTA). On January 23, 2026, American investment firms Greenoaks and Altimeter filed a notice with South Korea’s Ministry of Justice, saying they had lost what they described as a discriminatory government investigation into the data breach. They said they plan to pursue investor-state conflict settlement (ISDS) under the US-Korea FTA.
South Korea’s Ministry of Justice said Thursday that three other investors, including Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management have now joined the case. They suspect that the government has acted illegally in the e-commerce company.
To recall the incident: In December, Coupang disclosed that the information of about 34 million Korean customers had been leaked in a data breach that had been going on for more than five months. The breach involved customer names, email addresses, phone numbers, shipping addresses, and certain order histories, the company said.
While other technology violations in Korea have resulted in relatively light fines, Coupang has faced significant government pressure. The government reportedly threatened heavy fines, suspensions, and executive travel bans while Coupang investors said it wanted to block public communication and repeatedly misrepresented the scope of the violations.
Techcrunch event
Boston, MA
|
June 23, 2026
The Personal Information Protection Commission of Korea (PIPC) said more than 30 million Coupang accounts were exposed – but the facts point to only 3,000 accounts being affected, according to Coupang investors.
In December, the South Korean government and PIPC said Coupang’s violations were too serious to justify a higher fine. Under current law, fines amount to 3% of revenue, over $800 million for Coupang, according to US investors, but some lawmakers have proposed raising the limit to 10% and applying it repeatedly.
Even if this new law passes, it will not apply to Coupang, as the violations occurred before the rules were changed. But the state’s Democratic Party lawmaker suggested imposing punitive fines, either through new legislation or a special act of parliament, and the PIPC supported the idea, according to news reports. South Korean President Lee Jae Myung also called for public punishment, suggesting the company did not face enough consequences.
Based on a filing notice issued by the investors’ legal counsel, the investors argued that the South Korean government’s actions constituted an “unprecedented attack” on Coupang. In the filing, they argue:
The Government’s unprecedented attack on a US company for the benefit of its Korean and Chinese competitors is a serious violation of the Treaty, the principles of international law, and the historic relationship between Korea and the United States… The shocking behavior of the government has left US investors with no choice. If the Government does not immediately stop its attack on Coupang, fully restore the company’s ability to conduct its business, and end once and for all its long-running campaign of discrimination against the company, then American investors will be forced to seek billions of dollars in loans from Korea to protect their investment in Coupang and to remedy the Government’s ongoing Treaty violations, including attempted land seizures.
The filing of a motion is the first, pretrial step. South Korea’s Ministry of Justice is now reviewing the notice of intent, which begins a mandatory 90-day period before formal arbitration can begin.
Coupang, Abrams Capital, and Foxhaven Asset Management did not respond to TechCrunch’s request for comment. Durable Capital Partners could not be found.
According to investor filings, South Korea’s handling of data breaches has been inconsistent, particularly with other recent data breaches in South Korea, including KakaoPay, SK Telecom, Upbit, and Alibaba’s AliExpress.
KakaoPay reportedly transferred 54 billion customer records to Alipay Singapore, but only faced a $10 million fine and CEO warning, while SK Telecom was fined $91 million after a major SIM card breach. Upbit and AliExpress have also seen little government action. Investors say these examples underscore the stark contrast with the government’s response to Coupang.
South Korea’s Ministry of Science and ICT said on Wednesday that the Coupang data breach was carried out by a former employee who had worked on the company’s authentication systems and was aware of vulnerabilities in both the authentication framework and the key management system.
The ministry says Coupang failed to report the breach to the Korea Internet & Security Agency (KISA) within 24 hours and did not fully implement the November 2025 data retention order, which led to the removal of key web and app access logs. The department has referred the matter to investigators and ordered Coupang to submit a security plan by February 2026, which will be monitored until July.
Coupang issued a statement, saying that the employee, who is from China, obtained data from more than 33 million accounts but kept only about 3,000 before deleting them, and that no sensitive information such as payment data, passwords, or government IDs were accessed.
Coupang also replaced its CEO, Park Dae-jun, with Harold Rogers, America’s top parent lawyer, in December.
Adam Farrar, senior fellow at CSIS and senior geoeconomics analyst for APAC at Bloomberg, said on Tuesday’s Impossible State podcast that what started as a major data breach involving Coupang has grown into a broader issue between the United States and South Korea.
Farrar said the case raises broader US claims of unfair treatment of American technology companies, raising trade and tax risks for South Korea as the US Congress gets more involved.
“Major data breach [by Coupang] it led to a series of investigations in the National Assembly and a lot of back and forth with Coupang and a series of administrations over the last few months,” Farrar said on the podcast.
The issue goes beyond Coupang, raising broader questions about whether South Korea improperly targeted US companies, Farrar continued.
Critics point to digital policies they say favor domestic firms, including network usage fees for content providers like Netflix, Apple’s App Store and Google Play payment rules, as well as location data processing requirements that restrict services like Google Maps for national security reasons.
