US Investors Initiate International Arbitration Against South Korea Over Coupang Data Breach Investigation

The massive data breach affecting South Korean e-commerce platform Coupang has evolved into a significant geopolitical dispute, with multiple U.S. institutional investors filing for international arbitration against the South Korean government under the U.S.-Korea Free Trade Agreement (FTA).

While Coupang operates primarily in South Korea, Taiwan, and Japan, and is often referred to as the "Amazon of South Korea," the company maintains its global headquarters in Seattle, Washington. This jurisdictional structure has become central to the emerging legal conflict.

Escalating Legal Action

On January 23, 2026, U.S. investment firms Greenoaks and Altimeter filed a notice with South Korea's Ministry of Justice, initiating investor-state dispute settlement (ISDS) proceedings. They allege discriminatory treatment and financial losses resulting from the government's investigation into the data breach.

South Korea's Ministry of Justice confirmed Thursday that three additional investors have joined the arbitration case:

• Abrams Capital

• Durable Capital Partners

• Foxhaven Asset Management

These investors collectively argue that the South Korean government has engaged in unlawful actions targeting the U.S.-headquartered company.

Technical Details of the Breach

In December, Coupang disclosed a security incident that persisted for over five months, affecting nearly 34 million Korean customer accounts. Compromised data included:

• Customer names

• Email addresses

• Phone numbers

• Shipping addresses

• Partial order histories

South Korea's Ministry of Science and ICT revealed that the breach was perpetrated by a former employee with intimate knowledge of the company's authentication systems and key management infrastructure. The individual, identified as a Chinese national, accessed data from over 33 million accounts but allegedly retained information from approximately 3,000 accounts before deletion.

According to Coupang's official statement, no sensitive information such as payment credentials, passwords, or government identification numbers was compromised.

Regulatory Response and Alleged Disparities

The U.S. investors contend that South Korea's response to the Coupang incident has been disproportionately severe compared to similar breaches involving other companies. The government has reportedly threatened:

• Fines potentially exceeding $800 million (3% of revenue under current law)

• Operational suspension

• Travel restrictions for executives

• Restrictions on corporate communications

South Korean lawmakers have proposed increasing the penalty cap to 10% of revenue and applying it retroactively, though such legislation would not legally apply to incidents occurring before enactment. South Korean President Lee Jae Myung has publicly advocated for severe penalties against the company.

The investors' filing highlights comparative cases demonstrating alleged inconsistency:

• KakaoPay: Transferred 54 billion customer records to Alipay Singapore, received $10 million fine and CEO warning

• SK Telecom: Massive SIM card breach resulted in $91 million fine

• Upbit and AliExpress: Minimal regulatory action following their respective incidents

Compliance Issues and Government Claims

The Ministry of Science and ICT alleges that Coupang:

1. Failed to report the breach to the Korea Internet & Security Agency (KISA) within the mandatory 24-hour window

2. Did not fully comply with a November 2025 data preservation order

3. Allowed deletion of critical web and application access logs

The ministry has mandated that Coupang submit a comprehensive prevention plan by February 2026, with compliance monitoring extending through July.

Corporate Response and Leadership Changes

In response to the crisis, Coupang replaced CEO Dae-jun Park with Harold Rogers, the U.S. parent company's chief legal officer, in December.

Broader Geopolitical Implications

The dispute has significant ramifications beyond the immediate data breach investigation. There is a mandatory 90-day consultation period before formal arbitration proceedings can commence, during which South Korea's Ministry of Justice will review the investors' claims.

In their notice of intent, the investors stated: "The Government's unprecedented assault on a U.S. company to benefit its Korean and Chinese competitors is an egregious violation of the Treaty, principles of international law, and the historic partnership between Korea and the United States."

The investors warn that if the South Korean government does not cease what they characterize as discriminatory actions, they will pursue billions of dollars in damages for alleged treaty violations, including attempted expropriation.

Strategic Context

According to Adam Farrar, senior associate at CSIS and senior geoeconomics analyst for APAC at Bloomberg, the incident has evolved into a broader bilateral issue between the United States and South Korea, potentially amplifying U.S. concerns about discriminatory treatment of American technology firms.

The case intersects with existing tensions regarding South Korean digital policies that critics argue favor domestic companies, including:

• Network usage fees imposed on content providers like Netflix

• App Store payment restrictions affecting Apple and Google

• Data localization requirements

• Geographic data restrictions affecting services like Google Maps on national security grounds

With increasing engagement from the U.S. Congress on these issues, the Coupang arbitration case could have significant implications for trade relations and technology policy between the two nations.