More US investors are suing the South Korean government over its handling of the Coupang data breach

Coupang’s massive data breach in South Korea has now become a geopolitical flashpoint as a growing number of the company’s American investors take legal action against the South Korean government.

What began as a regulatory investigation into a data security failure has expanded into a broader dispute over alleged unfair treatment of the US-headquartered company.

While Coupang – which operates in South Korea, Taiwan and Japan – is often referred to as the “Amazon of South Korea,” its worldwide headquarters is actually located in Seattle, Washington.

The company’s investors are now seeking international arbitration under the Korea-US Free Trade Agreement (FTA). On January 23, 2026, US investment firms Greenoaks and Altimeter filed a notice with the South Korean Ministry of Justice, saying they had suffered losses from what they described as the government’s discriminatory investigation into the data breach. They said they plan to pursue Investor-State Dispute Settlement (ISDS) arbitration under the Korea-US Free Trade Agreement.

Three more investors, including Abrams Capital, Dollar Capital Partners and Foxhaven Asset Management, have now joined the case, the South Korean Justice Ministry said on Thursday. They claim that the government acted illegally towards the e-commerce company.

To recap the incident: In December, Coupang disclosed that the personal information of nearly 34 million Korean customers had been leaked in a data breach that lasted more than five months. The company said the breach included customer names, email addresses, phone numbers, shipping addresses, and the history of certain orders.

While other technical violations in Korea have resulted in less severe penalties, Coupang has faced unusual government pressure. The government has reportedly threatened to impose huge fines, suspension of operations, and travel bans on executives, while Coupang investors are allegedly trying to block public communications and misrepresent the violation.

Korea’s Personal Information Protection Commission (PIPC) said more than 30 million Coupang accounts were exposed – but the facts are only 3,000 accounts are affected, according to Coupang investors.

In December, the South Korean government and PIPC said the Coupang hack was serious enough to warrant higher fines. Under current law, penalties are capped at 3% of revenue, more than $800 million for Coupang, according to US investors, but some lawmakers have proposed raising the cap to 10% and applying it retroactively.

Even if the new law is passed, it will not apply to Coupang, because the violation occurred before the rules were changed. But one of the country’s Democratic Party lawmakers has proposed imposing punitive fines, either through new legislation or a special act of parliament, and the PIPC has backed the idea, according to news reports. South Korean President Lee Jae-myung has also publicly called for severe sanctions, suggesting the company has not faced enough consequences.

Based on the Notice of Filing of Intent issued by the Investors’ Legal Counsel, the investors argue that the South Korean government’s actions constitute an “unprecedented assault” on Coupang. They say in the recording:

“The government’s unprecedented assault on a US company on behalf of its Korean and Chinese competitors is a flagrant violation of the Treaty, the principles of international law, and the historic partnership between Korea and the United States… The government’s shocking behavior has left US investors no choice. If the government does not immediately cease its attacks against Coupang, fully restore the company’s ability to conduct its business, and permanently end its long-standing campaign of discrimination against the company, US investors will be forced to seek billions of dollars in reparations from Korea to protect its investments in Coupang and address the government’s ongoing violations of the Treaty, including This includes an attempt to confiscate.

Filing is an initial step before litigation. South Korea’s Ministry of Justice is now reviewing the Notice of Intent, which initiates a mandatory 90-day consultation period before formal arbitration begins.

Coupang, Abrams Capital and Foxhaven Asset Management did not respond to TechCrunch’s request for comment. No access to permanent capital partners.

According to the investor filing, South Korea’s handling of data breaches has been inconsistent, specifically pointing to other recent data breaches in South Korea, including KakaoPay, SK Telecom, Upbit, and Alibaba’s AliExpress.

KakaoPay reportedly transferred 54 billion customer records to Alipay Singapore, yet only faced a $10 million fine and a warning from the CEO, while SK Telecom was fined $91 million after a major SIM card breach. Upbit and Aliexpress also saw minimal government action. Investors say these examples highlight the stark contrast to the government’s response to Coupang.

South Korea’s Ministry of Science, ICT, and Communications said on Wednesday that the Coupang data breach was carried out by a former employee who worked on the company’s authentication systems and was aware of vulnerabilities in both the authentication framework and key management system.

The ministry alleges that Coupang failed to notify the Korea Internet and Security Agency (KISA) of the breach within 24 hours and did not fully implement a data preservation order issued in November 2025, resulting in the deletion of key web and app access logs. The ministry referred the matter to investigators and ordered Coupang to submit a prevention plan by February 2026, with compliance monitored until July.

Coupang issued a statement, saying the employee, a Chinese national, accessed data from more than 33 million accounts but only kept about 3,000 accounts before deleting them, and no sensitive information such as payment data, passwords or government IDs was accessed.

Coupang also replaced its chief executive, Dae Joon Park, with Harold Rogers, the parent company’s top US lawyer, in December.

What started as a major data breach related to Coupang has evolved into a broader problem between the United States and South Korea, Adam Farrar, a senior researcher at CSIS and senior Asia-Pacific geoeconomics analyst at Bloomberg, said on Impossible State on Tuesday.

Farrar said the case amplifies broader US allegations of unfair treatment toward US technology companies, raising trade and tariff risks for South Korea as the US Congress becomes more involved.

“Massive data breach [by Coupang] “This has led to a series of investigations in the National Assembly and some very combative ones into Coupang and a series of executives over the last few months. The additional dynamic here is that Coupang, while driving almost all of its profits from Korea, is now a US-based company which adds to the dynamic on both sides, affecting how they are both viewed and seen,” Farrar said on the podcast.

Farrar continued that the issue extends beyond Coupang, raising broader questions about whether South Korea is unfairly targeting American companies.

Critics point to digital policies they say favor local businesses, including network usage fees on content providers like Netflix and Apple’s App Store, Google Play’s payment rules and data localization requirements that limit services like Google Maps on national security grounds.