Coupang’s huge data breach in South Korea has now develop into a geopolitical flashpoint as a rising variety of the corporate’s U.S. buyers take authorized motion towards the South Korean authorities.
What started as a regulatory investigation into knowledge security failures has expanded right into a broader dispute over alleged unfair therapy of the U.S.-headquartered firm.
Whereas Coupang — which operates in South Korea, Taiwan, and Japan — is also known as the “Amazon of South Korea,” its worldwide headquarters are literally in Seattle, Washington.
The corporate’s buyers are actually in search of worldwide arbitration below the Korea–U.S. Free Commerce Settlement (FTA). On Jan 23, 2026, U.S. funding companies Greenoaks and Altimeter filed a discover with South Korea’s Ministry of Justice, saying they suffered losses from what they characterised as the federal government’s discriminatory investigation into the data breach. They stated they plan to pursue investor–state dispute settlement (ISDS) arbitration below the Korea–U.S. FTA.
South Korea’s Ministry of Justice stated Thursday that three extra buyers together with Abrams Capital, Sturdy Capital Companions, and Foxhaven Asset Administration have now joined the case. They’re alleging the federal government acted unlawfully towards the e-commerce firm.
To recap the incident: In December, Coupang disclosed that almost 34 million Korean prospects’ private info had been leaked in a data breach that had been happening for greater than 5 months. The breach concerned buyer names, e-mail addresses, cellphone numbers, transport addresses, and sure order histories, the corporate stated.
Whereas different tech breaches in Korea resulted in much less extreme penalties, Coupang has confronted extraordinary authorities stress. The federal government reportedly threatened huge fines, suspension of operations, and journey bans for executives whereas, Coupang’s buyers allege, making an attempt to dam public communication and misrepresenting the breach.
Techcrunch occasion
Boston, MA
|
June 23, 2026
Korea’s Private Data Safety Fee (PIPC) stated that greater than 30 million Coupang accounts have been uncovered — however the details level to simply 3,000 affected accounts, based on Coupang’s buyers.
In December, South Korea’s authorities and the PIPC stated the Coupang breach was severe sufficient to justify larger fines. Beneath present regulation, penalties are capped at 3% of income, greater than $800 million for Coupang, based on the U.S. buyers, however some lawmakers have proposed elevating the restrict to 10% and making use of it retroactively.
Even when the brand new regulation passes, it wouldn’t apply to Coupang, because the breach occurred earlier than the principles modified. However a Democratic Celebration lawmaker within the nation urged imposing punitive fines, by both new laws or a particular parliamentary act, and PIPC backed the concept, per information stories. South Korean President Lee Jae Myung additionally publicly referred to as for heavy penalties, suggesting the corporate had not confronted enough penalties.
Based mostly on the discover of intent submitting launched by the buyers’ authorized advisor, the buyers argue that the South Korean authorities’s actions represent an “unprecedented assault” on Coupang. Within the submitting, they argue:
“The Authorities’s unprecedented assault on a U.S. firm to learn its Korean and Chinese language rivals is an egregious violation of the Treaty, ideas of worldwide regulation, and the historic partnership between Korea and the USA….. the Authorities’s stunning conduct has left the U.S. buyers with no alternative. If the Authorities doesn’t instantly stop its assaults towards Coupang, totally restore the corporate’s means to function its enterprise, and completely finish its longstanding marketing campaign of discrimination towards the corporate, then the U.S. buyers shall be pressured to hunt billions of {dollars} in damages from Korea to guard their investments in Coupang and treatment the Authorities’s ongoing Treaty violations, together with attemped expropriation.”
The submitting is a preliminary, pre-litigation step. South Korea’s Ministry of Justice is now reviewing the discover of intent, which kicks off a compulsory 90-day session interval earlier than formal arbitration can start.
Coupang, Abrams Capital, and Foxhaven Asset Administration didn’t reply to information.killnetswitch’s request for remark. Sturdy Capital Companions couldn’t be reached.
Based on the buyers’ submitting, South Korea’s dealing with of data breaches has been inconsistent, particularly citing different current data breaches in South Korea, together with KakaoPay, SK Telecom, Upbit, and Alibaba’s AliExpress.
KakaoPay reportedly transferred 54 billion buyer information to Alipay Singapore, but confronted solely a $10 million fantastic and a CEO warning, whereas SK Telecom was fined $91 million after a large SIM card breach. Upbit and AliExpress additionally noticed minimal authorities motion. The buyers say these examples underscore the stark distinction with the federal government’s response to Coupang.
South Korea’s Ministry of Science and ICT stated Wednesday that the Coupang data breach was carried out by a former worker who had labored on the corporate’s authentication programs and was conscious of vulnerabilities in each the authentication framework and key administration system.
The Ministry alleges that Coupang did not report the breach to the Korea Web & Safety Company (KISA) inside 24 hours and didn’t totally implement a November 2025 knowledge preservation order, resulting in the deletion of key internet and app entry logs. The ministry has referred the matter to investigators and ordered Coupang to submit a prevention plan by February 2026, with compliance monitored by July.
Coupang launched a press release, saying that the worker, a Chinese language nationwide, accessed knowledge from over 33 million accounts however retained solely about 3,000 earlier than deleting it, and that no delicate information equivalent to fee knowledge, passwords, or authorities IDs was accessed.
Coupang additionally changed its CEO, Dae-jun Park with Harold Rogers, its U.S. mum or dad’s prime lawyer, in December.
Adam Farrar, senior affiliate at CSIS and senior geoeconomics analyst for APAC at Bloomberg, stated on Tuesday’s Unattainable State podcast that what started as a serious data breach involving Coupang has grown right into a broader situation between the USA and South Korea.
Farrar stated that the case is amplifying broader U.S. claims of unfair therapy towards American know-how companies, elevating commerce and tariff dangers for South Korea because the U.S. Congress turns into more and more engaged.
“The huge data breach [by Coupang] led to a collection of investigations within the Nationwide Meeting and a few very combative backwards and forwards with Coupang and a collection of executives over the previous a number of months,” Farrar stated within the podcast. “The extra dynamic right here is that Coupang, whereas driving virtually all of its earnings from Korea, is now a US-based firm that provides to the dynamic on each side, impacting how they’re perceived and seen.”
The difficulty extends past Coupang, elevating broader questions on whether or not South Korea is unfairly concentrating on U.S. corporations, Farrar continued.
Critics level to digital insurance policies they are saying favor home companies, together with community utilization charges on content material suppliers like Netflix, Apple’s App Retailer and Google Play fee guidelines and knowledge localization necessities that restrict providers like Google Maps on nationwide security grounds.
