Coupang v. South Korea: When a data breach leads to a geopolitical standoff

Investigations into a massive data leak involving an American e-commerce giant in South Korea have triggered investment dispute action and tariff threats. Such pushback, cautions Burcu Kilic, can serve as a recourse for tech companies to deter government scrutiny of their extensive operations.

---

USUALLY, hearing the words ‘investor-state arbitration’ invokes a familiar story: a foreign investor suing a host government in international arbitration, claiming that the government harmed its investment through regulation or other state action. For decades, that has been true, but the Coupang v. South Korea case now challenges that assumption.

Coupang – widely known as ‘the Amazon of Korea’ – is that nation’s dominant e-commerce and logistics platform. It is built for Korean consumers and operates primarily in South Korea, with nearly 90% of its revenue coming from the Korean market.

Crucially, it does not operate in the United States, and most Americans have never heard of it. However, Coupang is incorporated in the US state of Delaware, listed on the New York Stock Exchange, backed by American investors, and files with the US Securities and Exchange Commission. On paper, that makes Coupang an American company, and in the world of investment arbitration and Washington politics, that is all it takes.

Coupang has 33.7 million customer accounts in South Korea, a country with a population of roughly 50 million. In November 2025, the company announced a data breach involving 33.7 million accounts but asserted that only 3,000 records were exposed. The sheer scale of the breach – involving two-thirds of the population – prompted police and regulatory investigations, lawsuits and political outrage.

However, it soon became clear that those ‘3,000’ records were not telling the full story. Authorities later found that an additional 165,000 records had been exposed, including sensitive information such as names, phone numbers and addresses.

More importantly, this was not a ‘hack scandal’ as we usually understand it, but rather a massive data leak stemming from a security failure on Coupang’s end. The government investigation found that a former Coupang engineer had walked out with a cryptographic signing key and used it to generate login tokens. For seven months, Coupang’s monitoring systems caught nothing out of the ordinary. According to press reports, Coupang’s security budget accounted for only 0.2% of revenue. Amazon, for reference, invests between 1–1.4% of its revenue in security.

Given the context, the data leak caused significant public backlash in South Korea in December 2025. The breach triggered regulatory and parliamentary scrutiny, and the kind of political outrage one would expect when tens of millions of consumers learn that their data has been exposed. Coupang’s CEO resigned, and the government established a ‘Coupang Task Force’ to investigate the leak and take necessary measures to protect Korean consumers. The incident also resurfaced broader concerns about Coupang, including market power, labour practices and the safety risks associated with its extremely short delivery windows: same- or next-day delivery, year round.

Amid all this outrage, the case took a turn deserving close attention from anyone working on digital governance.

The pressure campaign: investor-state dispute settlement, Section 301 and tariffs

Two US investors – Greenoaks and Altimeter – served a notice of intent to initiate arbitration against South Korea under the investment chapter of the Korea-US Free Trade Agreement. Investor-state dispute settlement (ISDS) is a set of rules that permits foreign investors to sue a government in international arbitration for damages arising from alleged breaches of a free trade agreement. As such, ISDS threats can deter regulatory and enforcement efforts by making them appear to pose a liability risk. In this case, Greenoaks and Altimeter claim that Korea’s regulatory and administrative response after the leak was ‘discriminatory, disproportionate and pretextual’, and estimate their losses in the tens of billions of dollars.

However, the notice of intent was only the beginning. While dealing with the fallout from one of the country’s biggest data leaks and trying to control the narrative in South Korea, Coupang was lobbying hard in Washington. The investors also petitioned the United States Trade Representative under Section 301 of the US Trade Act, requesting an investigation into Korea’s actions and trade remedies that could include retaliatory tariffs on Korean goods. Republican Party lawmakers in the US Congress are investigating alleged discrimination against Coupang, the American company in South Korea, and have issued a subpoena seeking communications between Coupang and the Korean government. Press reports linked the Trump administration’s decision to raise tariffs on Korean goods, from an already agreed 15% to 25%, partly to the Coupang dispute.

Data breaches and leaks occur frequently, and when companies fail to implement basic cybersecurity controls (in this case, a basic offboarding process), communicate clearly and take responsibility, regulators must be able to investigate and hold them accountable. Coupang was already facing scrutiny over platform market power, worker safety and labour practices, and the data leak and public outrage pushed the Korean government and parliament to dig deeper into consumer protection. The case also made clear that Coupang is so dominant in the South Korean market that, even if users want to leave, many have no real alternative.

Looking ahead, this arbitration threat should be seen as a test case. If foreign investors can frame the Korean multi-agency enforcement as ‘discrimination’ or ‘unfair treatment’, it could chill privacy, cybersecurity and competition enforcement well beyond Korea.

What makes Coupang’s case even more interesting are the different layers. This layering of ISDS threats, Section 301 petition and congressional pressure is aimed at casting South Korean regulatory and parliamentary action as anti-American, protectionist and pro-China. In other words, it turns a domestic accountability response into a geopolitical confrontation.

South Korea may have a strong case for regulatory and parliamentary action following mismanagement and a major cybersecurity failure. However, tariff pressures may push Seoul towards a settlement.

As one US commentator wrote back in December 2025: ‘Trump has worked hard to rebalance the trade relationship with Korea, and it would be very unfortunate if Korea undermines his efforts by targeting US tech firms. … A strong, coordinated US response is essential to safeguard fair treatment of US companies and maintain strategic balance against China’s growing economic influence in the sector.’

Traditionally, tech companies have not relied on ISDS to challenge government regulations or actions, in part because US trade policy and diplomacy have long advanced their agenda. In recent years, however, they have become more conscious of investment treaty protections. Uber tested this playbook in Colombia back in 2020, after the Colombian competition authority banned Uber’s ride-hailing app. Uber threatened Colombia with an ISDS claim, but the ban was shortlived and was quickly overturned by the highest court soon after.

If South Korea settles, it will set a global precedent: It will let regulators worldwide know that ISDS cases do not have to reach a tribunal to cause damage. That threat alone could chill regulatory, administrative and judicial efforts globally, and it is precisely why the Coupang case serves as a cautionary tale for everyone. ISDS, or just the threat of it, combined with trade pressure and political lobbying, can be a powerful tool for tech companies to discipline governments. We need to name this pattern now – before it becomes the new normal.                     

Burcu Kilic is a senior fellow with the Centre for International Governance Innovation (CIGI), and a scholar, strategist and expert in trade and technology policy. She is principal consultant at BKS Ventures, where she advises organisations across civil society, philanthropy and government.     

This article is reproduced from the CIGI website (www.cigionline.org). The opinions expressed in this article are those of the author and do not necessarily reflect the views of CIGI or its Board of Directors.

*Third World Resurgence No. 366, 2026/1, pp 9-10