The recent data breach at Coupang, a prominent South Korean e-commerce platform, has escalated into a significant international dispute, as more U.S. investors are initiating legal proceedings against the South Korean government.
This situation originated from an investigation into data security practices, which has now broadened into claims of unfair treatment directed at the U.S.-based company.
Coupang, often dubbed the "Amazon of South Korea," operates not only in South Korea but also in Taiwan and Japan, with its global headquarters located in Seattle, Washington.
Investors are now pursuing international arbitration under the Korea-U.S. Free Trade Agreement (FTA). On January 23, 2026, U.S. investment firms Greenoaks and Altimeter submitted a notification to South Korea's Ministry of Justice, asserting they incurred losses due to what they deemed a biased investigation into the data breach. They intend to seek investor-state dispute settlement (ISDS) arbitration under the Korea-U.S. FTA.
Recently, South Korea's Ministry of Justice announced that three additional investors--Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management--have joined the case, alleging unlawful actions by the government against the e-commerce giant.
To summarize the incident: in December, Coupang revealed that nearly 34 million customers' personal data had been compromised in a breach that lasted over five months. The exposed information included names, email addresses, phone numbers, shipping details, and some order histories.
While other technology breaches in South Korea have resulted in lighter penalties, Coupang has faced significant governmental scrutiny. Reports indicate that the government threatened substantial fines, operational suspensions, and travel bans for executives, while investors allege attempts to obstruct public communications and misrepresent the breach.
The Personal Information Protection Commission (PIPC) of Korea stated that over 30 million Coupang accounts were compromised, yet investors contend that only about 3,000 accounts were genuinely affected.
In December, both the South Korean government and the PIPC classified the Coupang breach as serious enough to warrant increased fines. Current regulations cap penalties at 3% of revenue, which could exceed $800 million for Coupang, but some lawmakers have suggested raising this to 10% retroactively.
Even if such legislation were passed, it would not apply to Coupang, as the breach occurred prior to any changes in law. However, a Democratic Party lawmaker has proposed imposing punitive fines through new legislation or special parliamentary action, with PIPC supporting the initiative. South Korean President Lee Jae Myung has also publicly called for stringent penalties, suggesting the company has not faced adequate repercussions.
According to the investors' legal filing, the actions taken by the South Korean government are described as an "unprecedented assault" on Coupang. They argue that such conduct violates international law principles and undermines the historical partnership between Korea and the United States. The investors have indicated that if the government does not cease its actions against Coupang and restore its operational capabilities, they will be compelled to seek substantial damages to protect their investments.
This filing represents an initial, pre-litigation step, and the South Korean Ministry of Justice is currently reviewing the notice of intent, which initiates a mandatory 90-day consultation period before formal arbitration can commence.
Coupang, along with Abrams Capital and Foxhaven Asset Management, did not respond to requests for comments. Durable Capital Partners was also unavailable for contact.
The investors' filing highlights inconsistencies in South Korea's approach to data breaches, referencing recent incidents involving KakaoPay, SK Telecom, Upbit, and Alibaba's AliExpress, which faced minimal government response compared to Coupang.
According to the Ministry of Science and ICT, the Coupang data breach was executed by a former employee familiar with the company's security vulnerabilities. They allege that Coupang failed to notify the Korea Internet & Security Agency (KISA) within the required 24 hours and did not fully comply with a data preservation order issued in November 2025, which resulted in the deletion of vital access logs. The ministry has referred the case for investigation and mandated Coupang to submit a prevention plan by February 2026.
Coupang stated that the former employee accessed data from over 33 million accounts but only retained around 3,000 before deleting it. They assured that no sensitive information, such as payment details or government IDs, was compromised.
In December, Coupang appointed Harold Rogers, the top lawyer from its U.S. parent company, as the new CEO following the breach.
Experts suggest that the data breach incident has evolved into a broader dialogue between the U.S. and South Korea regarding the treatment of American technology firms. This case could potentially heighten trade and tariff risks for South Korea as U.S. legislative bodies become more involved in the matter.
Critics have noted that South Korea's digital policies may favor domestic companies, citing network usage fees and data localization requirements that could restrict services provided by foreign firms.