From Security Probe To Investor Dispute
Coupang’s data breach in South Korea has expanded from a regulatory investigation into a dispute involving U.S. investors and the South Korean government. The company, which operates in South Korea, Taiwan, and Japan and is often compared to Amazon, is headquartered in Seattle. Investors say the government’s response to the breach amounts to unfair treatment of a U.S. company and have moved toward international arbitration under the U.S.-Korea Free Trade Agreement.
Arbitration Filings And New Participants
On January 23, 2026, U.S. investment firms Greenoaks and Altimeter filed a notice with South Korea’s Ministry of Justice, saying they suffered losses from what they described as a discriminatory investigation and that they intend to pursue investor state dispute settlement arbitration under the U.S.-Korea FTA. South Korea’s Ministry of Justice said Thursday that three more investors, including Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management, have joined the case and allege unlawful government action toward the company. The notice of intent starts a mandatory 90 day consultation period before formal arbitration can begin.
Scope Of The Breach And Company Statements
In December, Coupang said nearly 34 million Korean customers’ personal information had been exposed in a breach that lasted more than five months. The company said the data included names, email addresses, phone numbers, shipping addresses, and some order histories. Coupang later said a former employee, a Chinese national, accessed data from more than 33 million accounts but kept about 3,000 before deleting it, and said no payment data, passwords, or government IDs were accessed. The company also replaced its chief executive, Park Dae-jun, with Harold Rogers, the top lawyer of its U.S. parent, in December.
Government Response And Proposed Penalties
South Korea’s Personal Information Protection Commission said more than 30 million accounts were exposed, while investors say the facts point to about 3,000 affected accounts. The government and the PIPC said in December that the breach justified higher fines. Current law caps penalties at 3% of revenue, which investors say would exceed $800 million for Coupang, and some lawmakers have proposed raising the limit to 10% and applying it retroactively. Even if such a change passes, it would not apply to Coupang because the breach occurred earlier. A Democratic Party lawmaker suggested punitive fines through new legislation or a special parliamentary act, and the PIPC supported the idea in news reports. President Lee Jae Myung also called for heavy penalties and said the company had not faced sufficient consequences.
Claims In The Notice Of Intent
In the filing released by the investors’ legal adviser, the investors said the government’s actions amount to an “unprecedented assault” on Coupang. The filing says the conduct violates the treaty and principles of international law and warns that, if the actions do not stop, the investors will seek billions of dollars in damages to protect their investments and address what they describe as ongoing treaty violations, including attempted expropriation.
Comparisons With Other Breach Cases
The investors say South Korea has handled data breaches inconsistently and cite cases involving KakaoPay, SK Telecom, Upbit, and Alibaba’s AliExpress. KakaoPay reportedly transferred 54 billion customer records to Alipay Singapore and faced a $10 million fine and a CEO warning. SK Telecom was fined $91 million after a large SIM card breach. Upbit and AliExpress also faced limited action. The investors say these outcomes contrast with the response to Coupang.
Findings By The Ministry Of Science And ICT
South Korea’s Ministry of Science and ICT said Wednesday that the breach was carried out by a former employee who had worked on Coupang’s authentication systems and knew about weaknesses in the authentication framework and key management system. The ministry said Coupang did not report the breach to the Korea Internet and Security Agency within 24 hours and did not fully follow a November 2025 data preservation order, which led to the deletion of key web and app access logs. The ministry referred the matter to investigators and ordered Coupang to submit a prevention plan by February 2026, with compliance monitored through July.
Political And Trade Context
The notice of intent followed reports that the government threatened large fines, possible suspension of operations, and travel bans for executives, and investors say officials also tried to limit public communication and misstated the scope of the breach. Adam Farrar, a senior associate at CSIS and senior geoeconomics analyst for APAC at Bloomberg, said on the Impossible State podcast that the case has grown into a broader issue between the United States and South Korea. He said the dispute is adding to U.S. claims of unfair treatment of American technology firms and could raise trade and tariff risks as the U.S. Congress becomes more involved. Farrar said the company’s U.S. base changes how the issue is viewed on both sides.
Broader Policy Questions
Farrar said the issue goes beyond Coupang and raises questions about whether South Korea is targeting U.S. companies. Critics point to digital policies they say favor domestic firms, including network usage fees on content providers such as Netflix, payment rules on Apple’s App Store and Google Play, and data localization requirements that limit services like Google Maps on national security grounds.
Coupang, Abrams Capital, and Foxhaven Asset Management did not respond to TechCrunch’s request for comment. Durable Capital Partners could not be reached.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.