The Coupang Data Breach: Understanding the Lawsuits

By Jiwon Yu

On the 29th of November, 2025, Coupang–South Korea’s dominant e-commerce and delivery platform–found itself at the centre of one of the most consequential data leaks in the country’s history. The breach, conducted by a single former employee, exposed data linked to 33.7 million users–roughly two-thirds of South Korea’s population. This not only triggered public outrage and massive class-action litigation from the South Korean populace, but has also invoked U.S. shareholders of Coupang’s parent company to invoke arbitration claims. Yet, one legal question still remains, irrespective of all this: when a company’s operational identity and legal identity span different jurisdictions, who holds it accountable–and under what standards?

What Is Coupang?

Founded in 2010 by Bom Kim, Coupang built its brand on ‘Rocket Delivery,’ an ultra-fast shipping service that enabled overnight deliveries in South Korea, completely reshaping consumer expectations within this field. Often dubbed the ‘Amazon of South Korea,’ Coupang has found itself deeply embedded into everyday life.

Yet, despite most of its operations in this country, its parent entity, Coupang Inc., is incorporated in Delaware and publicly traded on the New York Stock Exchange (NYSE), effectively making its corporate governance structure rooted in U.S. law.

This dual identity was chosen by Kim for a particular reason: the U.S. allows mechanisms like dual-class share structures–an unequal division of shares into classes that divide ownership from control of a company–that are not permitted under Korean corporate law. This is why, although Coupang Inc. answers to global investors, Kim still retains outsized voting control.

However, that structure also creates legal complexity: Korea claims authority as the site of operations and the locus of consumer harm while the United States claims authority as the company’s legal home and securities regulator. This means that, when a crisis arises, the overlap between these systems becomes heavily contested.

What Exactly Is the Problem?

As mentioned earlier, Coupang–on November 29th–disclosed unauthorised access to customer data that reportedly began months as early as June. Their initial estimate suggested that 4,500 accounts were affected, with that figure having dramatically expanded to 33.67 million accounts shortly after.

Coupang, after conducting its own investigation, determined that the former employee only retained data from about 3,000 accounts and that the data had been deleted before being shared externally. South Korean authorities have challenged this result.

Their position is that the scope of exposure–not merely the number of accounts ultimately retained–defines the seriousness of the breach. From their perspective, months of unauthorized access affecting millions of users cannot be minimized by focusing on how much data was allegedly saved.

Under South Korean law, unauthorised access alone may constitute a significant violation, even in the absence of proven downstream misuse. The distinction between “exposure” and “exploitation” therefore becomes legally meaningful. Coupang’s defense centres on limited retention and deletion; regulators emphasize the scale and duration of vulnerability.

The Lawsuits

In late 2025, more than 240,000 individuals joined a class-action lawsuit seeking 70 billion won (approximately $50 million) in damages from Coupang. The plaintiffs allege negligence, inadequate cybersecurity safeguards, delayed disclosure, and emotional distress resulting from exposure of personal information.

At the same time, pressure has emerged from the opposite direction. U.S.-based investors–including firms such as Greenoaks Capital and Altimeter Capital–have reportedly filed arbitration claims against the South Korean government. They argue that regulatory actions taken in response to the breach amount to unfair or discriminatory treatment, violating the U.S.-Korea Free Trade Agreement (KORUS).

From the investors’ standpoint, heightened regulatory penalties and enforcement measures have depressed share value, contributing to a reported 9% decline in Coupang’s stock over the past year. That decline represents hundreds of millions of dollars in lost market capitalization. Their claim reframes the issue not simply as corporate misconduct, but as a dispute over investor protections under international trade law.

Moving Forward

In the most stabilizing potential outcome, both South Korean regulators and U.S. authorities treat the dispute as a stress test rather than a geopolitical confrontation. Under this scenario, enforcement actions proceed within clearly defined legal boundaries, class-action claims are resolved through structured settlements, and investor arbitration under the KORUS Free Trade Agreement results in clarification rather than escalation.

The long-term effect would be regulatory convergence. South Korea might refine its statutory definitions of “harm” in data exposure cases, while U.S.-listed companies with foreign operational concentration adopt more stringent overseas compliance standards. Over time, multinational firms could internalize the expectation that they are accountable to both legal homes simultaneously, not alternatively.

However, this scenario seems highly unlikely, given how U.S. President Trump has been utilising the dispute as a partial reason to re-hike reciprocal tariffs back up to 25% on South Korea.

A second, more adversarial scenario would see the breach catalyze regulatory nationalism. South Korea, responding to public anger and political pressure, could adopt stricter data localization or cybersecurity mandates aimed at firms with foreign incorporation. U.S. investors, perceiving disproportionate treatment, might escalate arbitration or lobby for trade countermeasures.

In this trajectory, the core dispute shifts from consumer protection to sovereignty. The question becomes not “Was there adequate cybersecurity?” but “Whose jurisdiction ultimately governs this company?” If tensions spill into trade policy, the incident could influence tariff discussions or broader digital trade negotiations.

For global firms structured like Coupang–operationally domestic but legally foreign–this environment would create structural risk. Companies may be pressured to reconsider incorporation strategies, re-evaluate dual-class governance structures, or even pursue partial redomiciling to mitigate political exposure.

This seems to be more likely, given how South Korea has always been sensitive in regards to data access by corporations due to security reasons. Given the approaches so far by South Korean authorities, it seems likely that this case is no different from other cases like Google Maps requesting data access for South Korean territory.

The Broader Inflection Point

The Coupang breach emerged from a cybersecurity vulnerability, but its long-term significance lies elsewhere. It sits at the intersection of three accelerating forces: the globalisation of corporate structures, the localisation of regulatory enforcement, and the politicisation of digital infrastructure.

Whether the outcome is convergence, fragmentation, reform, or realignment will depend on how governments, courts, investors, and the company itself interpret the dispute moving forward. What is clear is that multinational digital platforms can no longer rely on jurisdictional ambiguity as a buffer.

In that sense, the future of this dispute is not just about resolving liability for a single breach. It is about defining how accountability functions in an economy where data flows globally, but political authority does not.

Edit by Artyom Timofeev

Image source: https://m.economictimes.com/tech/technology/coupang-swings-to-loss-as-data-breach-dents-q4-sees-muted-near-term-growth/articleshow/128836970.cms