The massive late 2025 data breach of online retail giant Coupang has become an international legal issue and potential source of trade tensions, as US investors have joined in with claims against the South Korean government under international arbitration law.
Coupang was founded in South Korea and primarily does business there; it also operates in Japan and Taiwan, and is considered an Amazon-equivalent online retailer in East Asia. It has its primary corporate headquarters in a tower in Seoul, but its international operations are based out of its Seattle campus in the US. This has attracted attention from some major US investors that now claim South Korea’s Ministry of Justice conducted a discriminatory investigation into the data breach that failed to lawfully address their losses.
US investors claim South Korean government actions are overly harsh
The Coupang data breach extended from June to November of 2025, with the company first detecting that 4,500 user accounts had been exposed to a malicious actor on November 18. A follow-up investigation soon found that the actual number of impacted accounts was closer to 33.7 million; victims had contact and shipping information associated with the account as well as “some” order histories exposed, but Coupang says that no payment information was involved.
Major US investors including Greenoaks, Altimeter, Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management have joined a case invoking the U.S.-Korea Free Trade Agreement (FTA) to seek international investor–state dispute settlement (ISDS) arbitration with the South Korean Ministry of Justice. Their central claim is that the South Korean government was disproportionately harsh on Coupang, as compared to penalties delivered to tech companies in other recent data breach cases. On the basis of Coupang’s disclosure that over 33 million accounts were impacted, the government issued a series of large fines and threats of business operation suspension orders while also temporarily restricting the ability of company executives to travel overseas.
Current South Korean data protection laws cap penalties for data breach cases at 3% of annual revenue. Some South Korean lawmakers seeking to raise that limit to 10% have pointed at the Coupang case as a central example of why the national laws should be made more harsh. The US investors filing suit take the opposite view: they believe the government has already taken “unprecedented” action against a US-based business to their detriment. They are seeking a reversal of fines and business restrictions issued against the company, under the threat of bringing billions of dollars of damage claims against the government.
In addition to pointing out other similar data breaches that resulted in much lower fines and less in the way of operational restrictions, the US investors also note follow-up security research that suggests only about 3,000 Coupang accounts were seriously impacted by the intrusion.
Chinese former employee accused of perpetrating data breach
A Chinese national that previously worked for Coupang has been accused of masterminding the data breach. The employee had worked with the company’s authentication systems and was allegedly aware of vulnerabilities that they later exploited to gain remote access after leaving the company. Though there is no report of payment data being accessed and the employee was no longer with the company when the data breach began, the South Korean government notes that Coupang had not fully implemented a data preservation order issued upon disclosure of the breach. This led to important web and app access logs being deleted before they could be inspected by outside parties.
In addition to seeking to enter arbitration, the US investors are also asking the U.S. Trade Representative (USTR) to open a probe into the South Korean government’s response and to determine if “appropriate trade remedies” are called for including tariffs and sanctions. Much of the response is still up in the air, however. At present the law allows for Coupang to face a fine of up to $700 million, but some lawmakers want special measures introduced to greatly increase the penalty. The company could also see a reduced fine depending on its remediation measures, toward which it has already announced a compensation package totalling $1.18 billion for users. There are still many variables that could influence the suit by US investors, which is mostly basing the compensation it will ask on alleged damage to shareholder value. The two sides are currently in a required 90-day consultation period while engaging in initial talks, which will proceed to arbitration if a resolution is not reached by the end.
The US investors may have a case in pointing out other recent incidents in South Korea that did not merit such a heavy regulatory backlash. One of the biggest examples is the similarly large data breach of SK Telecom a little under a year ago, which involved around 25 million customer records but ultimately only drew a fine of about $96 million, which the company is currently lobbying to have overturned on the basis of their remedial actions not being factored in.
