U.S. Investors Take Legal Action Against South Korean Government Over Coupang Data Breach
A significant data breach at Coupang, an e-commerce giant often dubbed the "Amazon of South Korea," has escalated into a geopolitical issue, with a growing number of U.S. investors initiating legal proceedings against the South Korean government. What began as an inquiry into data security lapses has broadened into a dispute concerning alleged discriminatory practices against Coupang, a company headquartered in Seattle, Washington, despite its substantial operations in South Korea, Taiwan, and Japan.
These investors are now pursuing international arbitration under the framework of the Korea–U.S. Free Trade Agreement (FTA). On January 23, 2026, U.S. investment firms Greenoaks and Altimeter formally notified South Korea's Ministry of Justice of their intent to file a claim. They assert that they have incurred losses due to what they perceive as a biased investigation into the data breach by the government and plan to engage in investor–state dispute settlement (ISDS) arbitration as permitted by the Korea–U.S. FTA.
Confirming the escalating legal challenge, South Korea's Ministry of Justice announced that three additional investors—Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management—have joined the case. These firms allege that the government acted unlawfully in its dealings with the e-commerce company.
Details of the Coupang Data Breach
The incident came to light in December when Coupang disclosed that personal information of nearly 34 million Korean customers had been compromised. The breach, which had been ongoing for over five months, exposed customer names, email addresses, phone numbers, shipping addresses, and some order histories.
Investors claim that Coupang is facing disproportionately harsh government scrutiny compared to other data breaches in South Korea. They allege that the government threatened severe penalties, including substantial fines, operational suspension, and executive travel bans, while simultaneously attempting to stifle public communication and misrepresenting the scope of the breach.
According to Coupang's investors, the Personal Information Protection Commission (PIPC) in South Korea stated that over 30 million accounts were exposed. However, the investors contend that the actual number of affected accounts is closer to 3,000. Investors also point out that while current laws cap penalties at 3% of revenue—potentially over $800 million for Coupang—there have been proposals to increase this limit to 10%, with suggestions for retroactive application, despite the breach occurring before any rule changes.
Investor Allegations of Unfair Treatment
In their notice of intent, the investors characterize the South Korean government's actions as an "unprecedented assault" on Coupang. The filing asserts:
"The Government’s unprecedented assault on a U.S. company to benefit its Korean and Chinese competitors is an egregious violation of the Treaty, principles of international law, and the historic partnership between Korea and the United States… the Government’s shocking conduct has left the U.S. investors with no choice. If the Government does not immediately cease its attacks against Coupang, fully restore the company’s ability to operate its business, and permanently end its longstanding campaign of discrimination against the company, then the U.S. investors will be forced to seek billions of dollars in damages from Korea to protect their investments in Coupang and remedy the Government’s ongoing Treaty violations, including attemped expropriation."
This notice represents a preliminary step before formal arbitration, which can commence after a mandatory 90-day consultation period with South Korea's Ministry of Justice, currently under review.
Inconsistent Regulatory Response Cited
The investors highlight what they describe as an inconsistent approach by South Korea in handling data breaches. They cite other recent incidents involving companies like KakaoPay, SK Telecom, Upbit, and Alibaba's AliExpress. For instance, KakaoPay reportedly transferred 54 billion customer records to Alipay Singapore but received only a $10 million fine and a warning to its CEO. SK Telecom faced a $91 million fine after a significant SIM card breach, while Upbit and AliExpress experienced minimal government intervention.
Government's Perspective and Coupang's Response
South Korea's Ministry of Science and ICT stated that the Coupang breach was perpetrated by a former employee familiar with the company's authentication systems and vulnerabilities. The ministry alleges Coupang failed to report the breach within 24 hours to the Korea Internet & Security Agency (KISA) and did not fully comply with a data preservation order, leading to the deletion of crucial logs. Coupang has appointed Harold Rogers, its U.S. parent's top lawyer, as its new CEO, replacing Dae-jun Park in December.
Coupang issued a statement indicating that a Chinese national, a former employee, accessed data from over 33 million accounts but ultimately retained only about 3,000 records before deleting them. The company also stated that no sensitive information, such as payment data, passwords, or government IDs, was accessed.
Broader Implications for U.S.-South Korea Trade Relations
According to Adam Farrar, a senior associate at CSIS and geoeconomics analyst for APAC at Bloomberg, this case is amplifying broader U.S. concerns about unfair treatment of American tech firms, potentially introducing trade and tariff risks for South Korea as the U.S. Congress becomes more involved. Farrar noted on the "Impossible State" podcast that the breach has led to contentious exchanges between Coupang executives and the National Assembly, with Coupang's status as a U.S.-based company, despite deriving most of its revenue from Korea, adding complexity to the situation.
The dispute raises questions about whether South Korea unfairly targets U.S. companies, with critics pointing to digital policies perceived as favoring domestic firms. Examples include network usage fees imposed on content providers like Netflix, payment rules for app stores, and data localization requirements that impact services like Google Maps due to national security concerns.
Stay Tuned to Devignitor Insights for More Updates
