South Korea’s Multi-Agency Crackdown on Coupang

Sparks Allegations of Double Standards

Massive Coupang Data Breach Triggers Government Outrage

In late 2025, Coupang, South Korea’s largest e-commerce platform, disclosed a massive data breach affecting some 33 million customers . This breach – compromising roughly the entirety of Coupang’s user base – provoked immediate public uproar and a political firestorm in Seoul . Lawmakers lambasted Coupang’s handling of the incident amid reports that the company initially underreported the scope of the leak. (Early on, Coupang had claimed only a few thousand accounts were affected, before revising the figure to tens of millions.) The confirmation of 33.7 million customers’ personal information exposed stirred angry backlash and calls for accountability . President Lee Jae-myung publicly demanded tough penalties for the lapse , signaling the government’s intent to respond decisively.

Compounding matters, Coupang’s own response drew criticism. The company conducted an internal probe and asserted that while millions of accounts were accessed, only about 3,000 data files were actually exfiltrated and those were later deleted by the perpetrator . It even offered $34 coupons (approximately ₩45,000) to each of the 33 million potentially affected users as compensation, at an estimated cost exceeding $1 billion . But many Korean officials questioned Coupang’s “self-investigation” findings. The Science and ICT Minister noted the possibility that stolen data could still be stored somewhere and abused (even by hostile foreign actors), contradicting Coupang’s assurances that no data remained at large. Such skepticism, combined with Coupang’s perceived lack of full cooperation – its interim CEO Harold Rogers was accused of evasion during a parliamentary hearing on Dec. 30, 2025 – fanned the government’s resolve to intervene forcefully. When Coupang’s founder and chairman Bom Kim (a U.S. citizen) declined to appear before the National Assembly citing overseas commitments, lawmakers’ fury grew . This perfect storm of a colossal data incident and perceived defiance set the stage for an unprecedented crackdown.

“Complex Major Incident”: An Unprecedented Multi-Agency Investigation

Seoul quickly classified the “Coupang incident” as a “복합적 중대 사안,” or “complex, major issue,” reflecting how multiple crises converged in one case – from data security to labor and fair-trade concerns. In response, the government formed a broad task force involving 12 ministries and agencies to scrutinize Coupang on all fronts. What began as an inquiry into a cybersecurity failure rapidly expanded into a whole-of-government investigation . Authorities outlined four main probes targeting: (1) Personal information protection, (2) Labor rights and workplace safety, (3) Fair trade and vendor relations, and (4) Tax compliance.

Data Breach Re-Examination: Regulators and police are re-investigating the personal data leak itself, effectively back to square one despite Coupang’s own findings. Investigators harbor “strong doubts” about the credibility of Coupang’s internal report – especially its claim that the leaked records were deleted and posed no further risk. Notably, there is concern that a former Coupang employee based in China was behind the breach , raising fears that sensitive data might have fallen into foreign hands. The Ministry of Science and ICT and law enforcement have focused on whether Coupang failed to preserve evidence or even attempted a cover-up. In fact, the ministry alleges that, despite official orders to preserve logs, Coupang allowed critical web access logs from the past five months to be deleted, potentially hampering forensic analysis. Such actions have led to a police investigation into possible evidence destruction or tampering. Korean authorities have made clear they will “reset” any premature conclusions: Coupang’s self-declared clean bill of health is being treated with suspicion as officials seek to independently verify the extent of damage and data flow . The stakes are high – the science minister warned that any stolen personal data “could be stored somewhere unknown” and exploited, even by nation-state hackers, calling it a “very serious issue” for national security.

Labor Rights and Safety Probe: Separately, the Ministry of Employment and Labor launched a probe into workplace conditions at Coupang, revisiting longstanding accusations that predate the breach. Coupang has faced public ire over industrial accidents and worker safety, including allegations of covering up workplace injuries and overworking employees, especially during overnight shifts. The data fiasco resurfaced these labor issues in the public eye. During the National Assembly hearing, lawmakers grilled Coupang’s leadership about an infamous 2020 case: a young warehouse worker’s death, after which (according to allegations) Coupang management instructed staff “not to leave records showing he had worked too hard.” The interim CEO’s evasive answers and his remark that he had “no evidence that night shifts are any harder than day shifts” only deepened lawmakers’ concerns. In response, the Labor Ministry has vowed a swift investigation into any industrial accident cover-ups and is conducting extensive on-site inspections of Coupang’s warehouses. They are specifically reviewing compliance with rest period regulations, night work policies, and health protections for workers. Any findings of safety lapses or intentional hiding of workplace injuries could lead to criminal charges under Korea’s workplace safety laws. In short, what started as a data privacy issue has also become a full audit of Coupang’s treatment of its thousands of employees.

Fair Trade and Supplier Relations: Korea’s Fair Trade Commission (FTC) similarly turned its spotlight on Coupang’s business practices toward suppliers and marketplace sellers. At the Dec. 31 hearing, a small supplier delivering a tearful testimony accused Coupang of predatory behavior – even copying a humble ₩3,000 herb product to drive the supplier out of the market. Such claims of bullying and “갑질” (abuse of power) in dealing with third-party merchants have dogged Coupang before. Now, the FTC is investigating whether Coupang engaged in unfair trade practices or “technical theft,” such as launching copycat products or abusing its platform dominance against vendors. The FTC Chairman Joo Byung-gi likened the alleged behavior to technology appropriation and promised a thorough inquiry. The agency is also examining whether Coupang holds a dominant market position (which would subject it to stricter regulation) and even whether Bom Kim should be designated a conglomerate head under Korea’s antitrust regime – moves that could impose new compliance burdens on the company. Notably, regarding the data leak itself, the FTC signaled it could impose severe penalties under consumer protection law – even hinting at possible business suspension for Coupang’s e-commerce operations as an ultimate sanction, something almost unheard of at this scale. While such an extreme measure may be unlikely, the mere suggestion underscores the “make no compromises” stance officials are taking  .

Tax and Financial Audit: Perhaps the sharpest prong of the crackdown is an extraordinary tax audit. In December 2025, the National Tax Service’s elite investigation bureau (often dubbed the “grim reapers” of tax evasion probes) descended on Coupang’s Seoul headquarters, deploying about 150 agents to scour financial records  . This special audit not only covers Coupang’s domestic books but also examines its transactions with its U.S.-based parent company . Officials suspect “offshore tax avoidance” schemes – for instance, large payments of royalties, fees, or commissions from the Korean unit to the U.S. parent, which could artificially depress local taxable income . They are also scrutinizing internal transfer pricing between Coupang’s numerous subsidiaries to see if profits were shifted inappropriately to cut tax bills. Seoul’s regional tax office reportedly began this probe shortly after the data leak came to light, suggesting the breach may have prompted authorities to fast-track or expand ongoing tax inquiries . The National Tax Service (NTS) has officially neither confirmed nor denied details (as it typically keeps audits confidential) . However, at the parliamentary hearing, NTS Commissioner Lim Gwang-hyun stated that the agency is looking into Coupang’s international transactions and even coordinating with the U.S. Internal Revenue Service, indicating a broad scope . If evidence of tax evasion or illicit outflows is found, Coupang could face hefty back taxes and penalties, adding yet another financial blow on top of any data breach fines.

Through this concerted action, South Korean authorities conveyed a clear message: Coupang’s data breach is not being treated as an isolated cybersecurity lapse, but rather as a catalyst revealing deeper corporate malpractices. Deputy Prime Minister Bae Kyung-hoon (who also serves as Science and ICT Minister and leads the pan-government task force) vowed to “leave not a single suspicion unexamined” and to use “every legal means available” against any wrongdoing. In his words, the government will move “as one team” and will “accept no compromise” when it comes to protecting citizens’ data, workers’ lives, or fair market order. The breadth of the probe is unprecedented in scale and intensity, especially for a private-sector data breach. Coupang – a company often lauded as the “Amazon of Korea” – suddenly finds itself under the microscope like never before.

Contrast: Treatment of Chinese Tech Platforms in Korea

The sweeping crackdown on Coupang has raised eyebrows partly because it contrasts with how South Korea has handled similar issues involving Chinese tech giants operating in its market. In recent years, Chinese e-commerce platforms like Alibaba’s AliExpress and PDD Holdings’ Temu have rapidly gained popularity among Korean consumers, raising some regulatory concerns of their own. Korean authorities have indeed taken action on data protection issues involving these foreign players – but the responses have been far more limited in scope compared to the multidimensional offensive against Coupang.

South Korea’s Personal Information Protection Commission (PIPC) investigated AliExpress and Temu in 2024-2025 after parliamentary inquiries flagged their data handling practices . These Chinese online shopping apps had been collecting and transferring Korean users’ personal data to overseas servers. The PIPC found violations of Korean privacy law – notably, failing to properly disclose cross-border data transfers and to obtain user consent. As a result, AliExpress was fined ₩1.98 billion (around $1.4 million) in July 2024 for data protection violations . Likewise, in May 2025 Temu was hit with a ₩1.37 billion fine (~$1 million) for illegally sending Korean user data to entities in China, Singapore, and other countries without proper notice . Regulators also ordered Temu to rectify its practices – for example, to clearly inform users of overseas data storage, appoint a local data protection representative, and simplify account deletion procedures  .

While these penalties were significant, they were single-issue enforcement actions focusing strictly on personal data/privacy law compliance. The Chinese firms faced monetary fines and corrective orders, but nothing on the order of a multi-pronged government crackdown. Notably, no criminal raids or broad investigations beyond the privacy realm were undertaken – understandable, as companies like AliExpress and Temu have minimal physical presence in Korea (no vast local workforce or warehouses to inspect, and limited local taxable profit). The Fair Trade Commission did show interest in Chinese platforms’ consumer practices – for instance, it inspected AliExpress’s Korean unit in early 2024 over customer protection standards  and has reviewed possible sanctions against Temu for alleged deceptive advertising . However, these actions again were within normal regulatory bounds. There was nothing akin to a 12-agency task force scrutinizing labor conditions or tax structures of Chinese tech firms in Korea. In short, the enforcement approach toward Chinese e-commerce platforms, while increasingly strict on data privacy, has been relatively compartmentalized – involving fines and specific probes – and certainly far less draconian than what Coupang is now experiencing.

This discrepancy has fueled debate about double standards. Coupang’s situation – arguably punitive and public in nature – stands in contrast to the quieter regulatory handling of foreign competitors. Some industry observers note that Chinese retailers’ infractions (such as undisclosed data exports) could also be considered serious, yet they did not trigger the kind of public, punitive response that Coupang’s breach did. For example, transferring millions of Korean users’ data to China without consent has obvious security implications, but AliExpress and Temu were allowed to remedy issues by paying fines and updating policies  ; in Coupang’s case, Korean authorities are contemplating penalties as severe as suspending parts of its business or levying fines potentially up to 3% of annual revenue (a sum that could exceed $800 million) . This stark difference has led to questions about whether national origin or politics are influencing regulatory zeal.

Accusations of Discriminatory Treatment and Overreach

Amid the government’s onslaught, Coupang’s major U.S. investors have cried foul, explicitly accusing the Korean authorities of discrimination and overreach. On Jan. 22, 2026, two large American shareholders – investment firms Greenoaks and Altimeter – announced they had petitioned the U.S. government to intervene, alleging that Seoul’s response to the Coupang breach “has gone far beyond normal regulatory enforcement” and amounts to discriminatory treatment of a U.S.-based company  . They filed notices of intent to pursue arbitration under the Korea–U.S. Free Trade Agreement (KORUS) and even urged the U.S. Trade Representative to consider trade measures (such as tariffs) against South Korea . These investors – who together hold over $1.4 billion in Coupang shares – argue that the Korean government launched a “whole-of-government campaign to cripple Coupang’s business”, including investigations into labor, finance, and customs matters “that bear little relation to the data incident” itself . In their view, what should have remained a targeted inquiry into a data security lapse has been weaponized to undermine Coupang’s broader operations.

In a detailed petition obtained by Korean media, the investors contend that the data breach was merely a pretext for officials to act on other grievances . They described the incident – albeit huge in scale – as a “limited data breach” in terms of actual harm, noting Coupang’s claim that only thousands of records were truly leaked and that those were deleted with no further dissemination . By contrast, they say the government’s reaction morphed into a “broader campaign to undermine Coupang’s competitiveness” . The petition pointedly alleges that the administration of President Lee Jae-myung is trying to “eliminate a successful U.S. company’s ability to compete” in Korea “with the Korean and Chinese companies that the government favors” . This explosive charge suggests that South Korea’s ruling camp might be shielding or preferencing domestic rivals (like Naver) and even Chinese platforms (like the aforementioned AliExpress/Temu) at the expense of Coupang . To bolster this claim, the investors highlighted what they see as a political bias: accusing President Lee and his ruling party of espousing an “anti-U.S., pro-China stance” in general . They cited past instances, such as Lee’s critical remarks about U.S. forces in Korea and historical issues, as evidence of a broader ideological tilt that could translate into hostile treatment of an American-founded enterprise. Essentially, the investors suggest Coupang is a victim of geopolitical favoritism – a claim that, if true, underscores why AliExpress and other Chinese firms might be encountering relatively lighter scrutiny.

The investors didn’t mince words in condemning the Korean government’s tactics. They likened the regulators’ aggressive moves to something one would expect from “totalitarian adversaries like Venezuela or Russia,” not a democratic ally . The petition asserts that Korean authorities have repeatedly violated the spirit of KORUS and international law through “illegal actions” that inflicted billions in losses on foreign investors . They warn that the “scale and speed” of Seoul’s onslaught has created an unpredictable business environment for foreign companies  and poses an “existential threat” to Coupang’s future  . Coupang’s New York–listed stock has indeed suffered, dropping roughly 27% in value since the breach was disclosed at the end of November . This sharp decline reflects investors’ fear that regulatory penalties (such as multi-hundred-million-dollar fines or draconian sanctions) could severely damage the company’s finances and growth prospects.

In summary, from the perspective of Coupang’s U.S. stakeholders, the punishment far exceeds the crime. They acknowledge a serious security lapse occurred, but maintain that Coupang has apologized and taken remedial steps – only to be met with an onslaught of unrelated probes seemingly designed to hamstring the company’s operations across the board. The portrayal is one of regulatory overkill bordering on protectionism: a Korean government seizing on an incident to rein in a market-dominating foreign player and perhaps boost favored domestic or even Chinese competitors. These allegations have rapidly escalated the issue beyond Seoul’s borders, injecting strain into U.S.–Korea trade relations. Indeed, what began as a corporate data breach has transformed into a potential bilateral trade dispute. American officials are now being asked to judge whether South Korea’s handling of Coupang is fair or discriminatory – an unusual development between two allies.

Seoul’s Defense: “No Favoritism – Just an Unprecedented Breach”

South Korean officials strongly deny any discrimination or improper motives, insisting that their response is driven solely by the severity of the incident and Coupang’s own missteps. They point out that the sheer scale of the leak was unprecedented in Korea, justifying an all-hands-on-deck approach. The Minister of Trade, Yeo Han-koo, refuted claims of bias, stating that Seoul is “not discriminating against Coupang” and that U.S. observers had “misunderstandings” about the situation . He argued that no country would take lightly the exposure of tens of millions of citizens’ data: “If a Korean company doing business in the U.S. caused such a large-scale information leak in the U.S., the U.S. would naturally do the same,” Yeo said, emphasizing that Korea’s actions are lawful and necessary for consumer protection . President Lee, for his part, asserted that South Korea is a sovereign nation that will handle the case “fairly according to law and principle,” regardless of outside pressure . In other words, Seoul’s message is that rule of law and public interest are guiding the probe – not an agenda to single out a U.S. firm. Officials note that Coupang’s handling of the breach was seen as inadequate – for example, the five-month lag in detecting the intrusion (it reportedly began in June 2025 but was only noticed in November) and the initial downplaying of its scale  . Such factors, they argue, warranted a tough stance to ensure accountability and prevent future negligence.

Regarding the breadth of the investigations, Korean regulators contend that many of these issues were not conjured from thin air but had been lingering concerns. The labor and safety violations, for instance, had been subject to complaints and past probes; the data breach simply catalyzed a more urgent examination of them. Similarly, questions about Coupang’s market dominance and treatment of suppliers have existed for years in Korea’s retail sector discourse. With the company now under intense public scrutiny, authorities felt it was an opportune (and justified) time to address all facets of Coupang’s impact on the market and society. In their view, this comprehensive approach is about protecting Korean consumers, workers, and fair competition, not about where the company’s headquarters or investors are based. The Prime Minister, Kim Min-seok, explicitly rejected the notion of anti-foreign bias, saying “There is absolutely no discrimination against Coupang… The U.S.–Korea relationship is based on trust, so there is no need to worry about discriminatory treatment” .

Nonetheless, the juxtaposition with Chinese companies is a sensitive point. The Korean government would argue that it has been enforcing the rules on Chinese platforms too – citing the fines on AliExpress and Temu, and ongoing investigations into their conduct  . The difference in scale, they might say, lies in the infractions themselves: Coupang’s breach directly affected over half the country’s population, whereas AliExpress/Temu’s violations, while serious, were procedural (failure to disclose data transfers) and involved far fewer Korean users. Moreover, Coupang, as the dominant local e-commerce player, carries a greater responsibility in the eyes of regulators for the domestic ecosystem – from employment to small-business relations – responsibilities foreign platforms haven’t assumed to the same extent. From this perspective, the “hard line” on Coupang is about a specific company’s conduct and impact, not its national origin. Korean officials maintain that any company – domestic, American, Chinese or otherwise – would have faced a similar reckoning if found at the center of such a far-reaching incident in Korea .

Ongoing Fallout and Looking Ahead

As it stands now in early 2026, the “Coupang saga” has evolved into one of the most complex and charged government-business showdowns in Korea’s recent history. The multi-agency investigations are ongoing, and their outcomes remain uncertain. Coupang could face penalties on several fronts: the privacy regulator (PIPC) is weighing fines that analysts estimate could reach into the hundreds of millions of dollars; the labor probe could result in legal action if wrongdoing is confirmed; the FTC could impose remedies or fines for any unfair practices; and the tax audit might claim back taxes or penalties if irregularities are found. The reputational damage to Coupang within Korea is already significant – public trust has been shaken by the data leak and the subsequent revelations of its labor issues. Some politicians have even mused about encouraging competition or alternatives to ensure no single platform becomes “too big to regulate.”

On the international front, this case has now drawn the attention of trade officials and could test the robustness of KORUS protections for investors. The U.S. Trade Representative’s office has a 45-day window (from the filing date) to decide whether to launch a formal investigation into South Korea’s treatment of Coupang . If it does, it could lead to public hearings and, eventually, U.S. countermeasures (like tariffs) if Washington deems South Korea’s actions unfair. Meanwhile, the 90-day consultation period under the KORUS arbitration request will be a critical diplomatic juncture; Seoul will need to justify its actions to avoid a protracted legal battle or political fallout with its ally. It’s a delicate balancing act: Korea must show it can enforce its laws vigorously, yet it will want to avoid the perception of being hostile to foreign business or of favoring certain players. The outcome may set an important precedent for how far a government can go in regulating tech giants – and how such efforts intersect with international trade obligations in the era of digital commerce.

Deputy PM Bae Kyung-hoon has pledged that the government will “move as one team… until the public is reassured” and that “not a single suspicion” will remain unaddressed. “There will be no compromise,” he said, “when it comes to acts that undermine the safety of our people, the lives of workers, or fair market order.” . For its part, Coupang insists that it is cooperating and has taken unprecedented steps to make amends (such as the blanket compensation vouchers) and bolster security. The company and its backers clearly feel unfairly singled out, but until Korean authorities conclude their probes, Coupang remains under intense government pressure.

In the coming months, observers will watch whether South Korea tempers its approach or presses on uncompromisingly. Will the “complex major incident” be resolved in a way that satisfies Korean public demand for corporate accountability while also convincing foreign investors of a fair process? Or will it deepen into a larger rift, reinforcing the investors’ narrative of selective enforcement against a foreign-affiliated firm? The final act of this saga will have implications not just for Coupang’s fate, but for Korea’s regulatory climate and its reputation among global businesses. For now, the Coupang case serves as a dramatic example of a government drawing a line in the sand after a tech giant’s failure – and the contentious debate over whether that line was drawn fairly for all.

Sources: South Korea National Assembly hearing coverage (Dec 2025); Reuters – “Coupang investors seek US probe over South Korea’s handling of data leak”  ; Reuters – “South Korea probes data protection by e-commerce platforms like AliExpress, Temu”  ; Korea JoongAng Daily – “Complaint by Coupang’s U.S. investors may turn data leak probe into trade flash point”  ; Korea JoongAng Daily – “Temu fined nearly $1 million in Korea for transferring users’ data to China”  ; Reuters – “South Korea tax agency conducts special audit of Coupang following data leak”  .