US Investors Look to Curb Harsh South Korean Government Penalties for Coupang Data Breach

Proposed harsh penalties for Coupang in the wake of its late 2025 data breach have spooked numerous US investors in the company, who have now filed a class action suit seeking to force South Korea’s Ministry of Justice into arbitration.

The door is open to US investors to make this demand due to Coupang headquartering the international division of its business in Seattle. The plaintiffs claim that South Korea’s penalties have caused billions of dollars in damage to shareholder value, but the case is complicated by the fact that a great deal of those fines and penalties have not been settled on yet.

Class action suit points to disparities in recent data breach responses

The Coupang data breach has been linked to a Chinese national former employee who had worked on the company’s authentication systems. While the data breach did not involve payment information, the account contact information for over 30 million users was exposed along with order history for “some” unspecified amount of Coupang customers.

The US investors not only seek damages, but are also asking the U.S. Trade Representative (USTR) to look into possible sanctions or tariffs. Whether this will actually escalate to an international trade incident is unclear. It is still not entirely clear what amount Coupang will ultimately be fined for the data breach. The present laws cap the total at 3% of annual income, which would be about $700 million. However, a number of South Korean lawmakers are calling for special exceptions for this case to boost the amount to up to 10%.

For some perspective as to the central argument the US investors are making, the fairly recent SK Telecom breach (disclosed in April 2025) involved a similar count of about 25 million customer records and ended in a $91 million fine; SK Telecom has not paid this yet as they filed an appeal to have it overturned last month. And in that case, SK Telecom is arguing that restitution and remuneration paid out was not sufficiently considered in determining the fine amount. Coupang has already committed to $1.18 billion in compensation to impacted users.

US investors look to curb special penalties

Coupang has also responded by indicating that only several thousand user accounts were seriously impacted by the data breach; the hacker seems to have ignored the vast majority of them, and may have been after very particular high-profile targets.

The group of US investors currently committed to the lawsuit include Greenoaks, Altimeter, Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management. The case invokes arbitration required under the U.S.-Korea Free Trade Agreement (FTA), but the parties must undergo a 90-day consultation before that begins.

While the fine totals are still up in the air, the US investors also point to travel restrictions placed on Coupang executives and call it “unprecedented” action against a business based in the US by a foreign government. While Coupang’s international arm is headquartered in the US, its main corporate headquarters is in Seoul and it does nearly all of its business in East Asia.