More US investors sue South Korean government over handling of Coupang data breach
Source: TechCrunch
Coupang’s Massive Data Breach in South Korea – A Growing Geopolitical Flashpoint
Source: TechCrunch (Dec 1 2025)
Overview
- A data breach that exposed the personal information of nearly 34 million Korean customers has turned into a diplomatic dispute.
- U.S. investors are filing international arbitration under the U.S.–Korea Free Trade Agreement (FTA), accusing the South Korean government of discriminatory treatment of Coupang.
- Although often called the “Amazon of South Korea,” Coupang’s global headquarters are in Seattle, Washington; it operates in South Korea, Taiwan, and Japan.
Key Legal Actions
| Date | Actor | Action | Source |
|---|---|---|---|
| Jan 23 2026 | U.S. investment firms Greenoaks and Altimeter | Filed a notice with South Korea’s Ministry of Justice alleging losses from a discriminatory investigation and invoking ISDS arbitration under the U.S.–Korea FTA. | Notice (Korean Ministry of Justice) |
| Jan 24 2026 | South Korea’s Ministry of Justice | Announced that three additional investors—Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management—have joined the case. | MOJ statement (Korean) |
Timeline of the Breach & Government Response
| Date | Event | Details |
|---|---|---|
| Dec 2025 | Breach disclosure | Coupang announced that personal data (names, emails, phone numbers, shipping addresses, and some order histories) of ≈34 million Korean customers had been exposed for >5 months. |
| Dec 2025 – Jan 2026 | Regulatory pressure | The Korean government threatened: |
| • Massive fines – up to 3 % of revenue (≈ $800 M) under current law. | ||
| • Suspension of operations. | ||
| • Travel bans on executives. | ||
| • Attempts to block public communication about the breach. | ||
| Dec 2025 | PIPC statement | The Personal Information Protection Commission (PIPC) said >30 million accounts were exposed. Investors argue the actual number is ≈3,000. |
| Dec 2025 | Legislative debate | Lawmakers proposed raising the fine cap to 10 % of revenue and applying it retroactively. Even if passed, the new limit would not apply to the 2025 breach. |
| Jan 2026 | Presidential comment | President Lee Jae‑Myung called for heavy penalties, stating Coupang had not faced sufficient consequences. |
| • President’s remarks (Korean video) | ||
| Jan 2026 | Investor filing | Investors submitted a notice of intent alleging an “unprecedented assault” by the Korean government, threatening billions in damages if the government does not cease its actions. |
| • Notice of intent (Korean MOJ) |
Investors’ Core Allegations
- Discriminatory Investigation – The Korean government singled out Coupang while other tech breaches received lighter treatment.
- Unlawful Government Conduct – Actions amount to an “unprecedented assault” and a violation of the U.S.–Korea FTA, international law, and the historic partnership between the two nations.
- Excessive Penalties & Restrictions – Threats of massive fines, operational suspension, travel bans, and suppression of public communication.
- Potential Expropriation – Investors claim the government’s conduct could be interpreted as an attempt to expropriate their investment.
Excerpt from the investors’ filing:
“The Government’s unprecedented assault on a U.S. company to benefit its Korean and Chinese competitors is an egregious violation of the Treaty, principles of international law, and the historic partnership between Korea and the United States … If the Government does not immediately cease its attacks against Coupang, fully restore the company’s ability to operate its business, and permanently end its longstanding campaign of discrimination, then the U.S. investors will be forced to seek billions of dollars in damages from Korea to protect their investments in Coupang and remedy the Government’s ongoing Treaty violations, including attempted expropriation.”
Related Media & Events
TechCrunch Event
| Location | Date |
|---|---|
| Boston, MA | June 23 2026 |
(The event details were listed in the original text; no further information was provided.)
Key Sources
- TechCrunch – Coupang’s massive data breach in South Korea (Dec 1 2025)
- Korea Times – Articles on potential fines, business suspension, and travel bans (Dec 2025 – Jan 2026)
- South Korean Ministry of Justice – Official notices and statements (Jan 2026)
- Personal Information Protection Commission (PIPC) – Initial breach assessment (Dec 2025)
- President Lee Jae‑Myung’s public remarks (Jan 2026)
- Investor legal filing – Notice of intent (Jan 2026)
Bottom Line
Coupang’s data breach has escalated from a cybersecurity incident to a high‑stakes geopolitical dispute. U.S. investors are leveraging the U.S.–Korea FTA’s ISDS mechanism to challenge what they view as unlawful, discriminatory actions by the South Korean government. The outcome could set a precedent for how cross‑border data‑privacy incidents are handled in the context of international trade agreements.
Overview
South Korea’s handling of recent data‑breach incidents has drawn criticism for its inconsistent enforcement. The latest controversy involves Coupang, which is now facing scrutiny from both Korean regulators and U.S. policymakers.
Key Points
- Arbitration Notice – The arbitration process cannot begin until a formal notice of intent to submit a claim is given at least 90 days in advance. (See the SIAA Day 3 presentation for details.)
- Lack of Comment – Coupang, Abrams Capital, and Foxhaven Asset Management did not respond to TechCrunch’s request for comment. Durable Capital Partners could not be reached.
Recent South Korean Data Breaches
| Company | Breach Summary | Penalty / Action |
|---|---|---|
| KakaoPay | Transferred 54 billion customer records to Alipay Singapore. | $10 million fine and a CEO warning. |
| SK Telecom | Massive SIM‑card breach. | $91 million fine. |
| Upbit | Large‑scale hack affecting millions of users. | Minimal government action. |
| AliExpress | Data exposure incident. | Minimal government action. |
These cases are cited by investors to highlight the stark contrast with the Korean government’s response to the Coupang breach.
Ministry of Science and ICT Findings
- The breach was carried out by a former employee who worked on Coupang’s authentication systems and knew of vulnerabilities in both the authentication framework and key‑management system.
- Coupang allegedly failed to report the breach to the Korea Internet & Security Agency (KISA) within the required 24‑hour window.
- The company did not fully implement a November 2025 data‑preservation order, resulting in the deletion of key web and app access logs.
- The Ministry has referred the matter to investigators and ordered Coupang to submit a prevention plan by February 2026, with compliance monitoring through July 2026.
Coupang’s Response
- Statement – The employee (a Chinese national) accessed data from over 33 million accounts, retained only about 3,000 records, and then deleted them. No payment data, passwords, or government IDs were accessed.
- Leadership Change – In December, Coupang replaced CEO Park Dae‑jun with Harold Rogers, the U.S. parent’s top lawyer.
“The massive data breach [by Coupang] led to a series of investigations in the National Assembly and some very combative back‑and‑forth with Coupang and a series of executives over the past several months.” – Adam Farrar, senior associate at CSIS and senior geoeconomics analyst for APAC at Bloomberg
Geopolitical Implications
- U.S.‑South Korea Tensions – Farrar noted on the Impossible State podcast that the Coupang breach is becoming a broader issue between the United States and South Korea, amplifying U.S. claims of unfair treatment toward American tech firms.
- Congressional Interest – The U.S. Congress is increasingly engaged, raising trade and tariff risks for South Korea.
“The additional dynamic here is that Coupang, while driving almost all of its earnings from Korea, is now a U.S.-based company that adds to the dynamic on both sides, impacting how they’re perceived and seen.” – Adam Farrar
Broader Concerns Over Korean Digital Policy
Critics argue that South Korean regulations favor domestic firms, citing:
- Network‑usage fees on content providers such as Netflix.
- In‑app billing rules that affect Apple’s App Store and Google Play.
- Data‑localization requirements that limit services like Google Maps on national‑security grounds.
Sources
- SIAA Day 3 – Pre‑arbitration Requirements (PDF)
- TechCrunch article on South Korean data breaches (May 2025)
- Korea Times – KakaoPay fine (April 2025)
- Yonhap News – SK Telecom fine (Jan 2026)
- DL News – Upbit hack investigation (2025)
- KED Global – AliExpress breach (July 2024)
- Coupang response statement (2026)
- TechCrunch – Coupang CEO resignation (Dec 2025)
- Impossible State podcast – Adam Farrar (2026)
- Fox Business – U.S. Congress targeting South Korean regulators (2025)
- TechCrunch – Netflix bandwidth fees (2021)
- TechCrunch – Apple/Google in‑app billing fines (2023)
- TechCrunch – Google Maps data‑localization debate (2025)