The Coupang Case Explainer
Coupang’s Nationality – American or Korean?
Coupang Inc. (originally founded as Coupang LLC in 2010) was founded by Korean American entrepreneur Bom Kim and incorporated in Delaware. Since its inception, the company has operated almost exclusively in South Korea, launching initially as a social commerce platform modeled after Groupon. While it began by selling daily deals and coupons in Seoul, the company established its current identity around 2013 by pivoting to the end-to-end e-commerce platform it is known for today as the “Amazon of South Korea.”
At the heart of this pivot was the “Rocket delivery” service, officially launched in 2014, which ensures delivery by the next morning – mostly overnight – made possible in South Korea given its small land mass and concentrated urban population. Following its transformation, Coupang secured roughly $3 billion in total investment from Japan’s SoftBank, which fueled its aggressive expansion in Korea. This growth culminated in Coupang’s multibillion-dollar IPO on the New York Stock Exchange (NYSE) in March 2021, valuing the company at approximately $60 billion at the time of listing.
Shortly after the IPO, in June 2021, Kim stepped down from all his official roles at the South Korean subsidiary, Coupang Corp, while keeping his title as CEO and Chairman of the U.S. parent company, Coupang Inc., which wholly owns Coupang Corp. While he exited the local roles, Kim effectively retains control through Delaware’s dual-class stock structure, a mechanism legally prohibited for companies incorporated in South Korea. By holding Class B shares that carry 29 votes each, Kim commands over 74 percent of the total voting power as of late 2024.
On paper, Coupang perfectly qualifies as an “American” company – incorporated in Delaware, listed on the NYSE, and headquartered in Seattle. Harold Rogers, Coupang Inc.’s Chief Administrative Officer and General Counsel, who is newly serving as interim head of its Korean subsidiary, made that point clear at National Assembly hearings over the company’s massive data leak in Seoul.
Yet, with nearly 90 percent of its revenue generated in South Korea and about 25 million active customers in the country of 50 million, Coupang has previously argued, just as forcefully, that it is “Korean.” In July 2019, as Korea-Japan relations plummeted following Tokyo’s announcement of export controls against Seoul, Coupang was swept into a consumer backlash over its ties to Japanese capital. With the Softbank Vision Fund as its largest shareholder, the company then issued a statement to appease the Korean public, claiming: “Coupang is a proud Korean company. We were founded and grew here, and we operate more than 99 percent of our business in Korea.”
Coupang also highlighted its “Korean” identity in its 2021 Form S-1 – the central IPO registration document filed with the U.S. Securities and Exchange Commission – ahead of its NYSE listing:
Page 127, “We are a home-grown technology company that has now become one of the three largest private sector employers in the nation. We are a significant driver of new economic opportunities for the people of Korea.”
Page 128, “Our success has always been deeply tied to Korea, not only to the Seoul metropolitan area. Our logistics infrastructure spans the entire country… We are also planning to build additional fulfillment centers throughout Korea, to continue to create more jobs, and strengthen local economies.”
Page 134, “Our corporate headquarters is located in Seoul, Republic of Korea.”
Page F-8, “The Company’s main operations, including procurement, marketing, technology, administrative functions, and fulfillment and logistics infrastructure are predominantly located in South Korea, with some support services performed in China and the United States.”
In parallel, though its operations barely exist in the U.S., Coupang has poured significant resources into lobbying in Washington, with spending steadily increased to address cross-border regulatory issues and trade policies. According to Politico, Coupang “made a particular effort to woo MAGA-aligned officials” and President Donald Trump; in 2024 alone, the company spent $3.3 million, and in 2025, $2.27 million, on lobbying in total. These figures are comparable to Hyundai Motor’s U.S. lobbying expenditures – $2.32 million in 2024 and $3.34 million in 2025 – placing the e-commerce company with virtually no physical footprint in the U.S. on par, in Washington clout, with South Korea’s largest automaker and a major U.S. investor.
In Washington, especially on Capitol Hill, an operational footprint often matters when it comes to a technology company’s national identity or allegiance. This “boots on the ground” standard was famously applied to Zoom – a videoconferencing service founded by Chinese American engineer Eric Yuan – during the COVID-19 pandemic. Despite being incorporated in Delaware, listed on NASDAQ, and headquartered in Silicon Valley, Zoom faced intense scrutiny over its operational ties to China. Critics primarily targeted the company’s concentrated research and development workforce within Chinese borders; for many in Congress, this geographic concentration of labor, among other concerns, rendered Zoom a “Chinese entity” in practice.
Yet the irony lies in the inconsistent yardstick applied to Coupang. While Zoom was scrutinized for employing, according to the Citizen Lab, roughly 700 people in China, Coupang presents an even more extreme case of geographic labor concentration. As of last year, Coupang and its subsidiaries directly employed over 90,000 people in South Korea – making it one of the nation’s largest job creators – while maintaining a workforce of just about 1,000 in the United States.
While a distinction needs to be made between a strategic rival and an ally, the underlying metric for defining an “American” company should remain consistent. Thus, if domestic operational presence, such as local employment, is the true measure of a company’s national identity or allegiance, then Coupang – whose customers, logistics, and revenues are almost exclusively rooted in South Korea – should be treated as “Korean,” not “American,” by the same standard. Furthermore, on basic service availability in the United States, Zoom serves hundreds of millions of Americans; Coupang does not.
Coupang’s Data Leak – 33 Million Accessed, but 3,000 Retained
On November 29, 2025, Coupang publicly disclosed that it became aware on November 18 of “unauthorized personal data access involving about 4,500 customer accounts.” It added, however, that a subsequent investigation found “the extent of customer account exposure is about 33.7 million accounts, all in Korea,” involving information such as “names, email address, phone number, shipping address and certain order histories,” which began in June 2025 via overseas servers. This disclosure followed local reports that Coupang had filed a criminal complaint against its former employee from China over a data breach. The infiltration was discovered only after the suspect himself sent threatening anonymous emails to the company and several individual users.
But on Christmas Day, Coupang issued a surprise update – allegedly without coordinating with the Korean authorities – stating that the identified ex-employee had “accessed 33 million accounts,” but he “only retained a small amount of user data from roughly 3,000 accounts” and the data “was only ever stored on his personal desktop PC and MacBook Air laptop.” The company added that “none of that user data was ever transmitted to a third party, and that he deleted the stored data immediately after seeing news reports of the leak.”
Coupang’s independently announced findings were sharply criticized by Korean lawmakers during a series of heated National Assembly hearings. The confrontation covered not only the massive discrepancy in the number of accounts affected by the breach – “33 million” versus “3,000” – but also over the legitimacy of what was referred to as Coupang’s clandestine “self-investigation,” which the company strongly denied, arguing the investigation was, in fact, “coordinated on a daily basis, under the express direction of government, over a period of several weeks.” At a joint hearing on December 30, 2025, Harold Rogers specified that the company’s internal operation had been conducted at the direction of Korea’s National Intelligence Service (NIS). The NIS rejected this assertion and asked the Assembly to file a formal perjury complaint against Rogers. After the hearings, Rogers faced police questioning twice in Seoul on allegations of evidence destruction and perjury.
In the wake of the hearings, on February 5, 2026, the U.S. House Judiciary Committee sent a letter summoning Harold Rogers for a deposition on February 23 to “answer questions related to the Korean government’s targeting of Coupang and other innovative American companies,” and required “communications between Coupang and the Korean government regarding the company’s compliance with foreign laws, regulations, judicial orders, or other government-initiated efforts and how these foreign laws affect U.S. companies.” The letter followed a late-January notice of intent filed by two of Coupang’s U.S. investors to pursue Investor-State Dispute Settlement (ISDS) under the KORUS FTA investment chapter, along with the investors’ submission of a section 301 petition to the Office of the United States Trade Representative (USTR). Last week, three more investors joined the ISDS proceedings.
What warrants close attention is how the Committee’s letter to Rogers appears to adopt Coupang’s “only 3,000 accounts retained” argument, which suggests that the actual data breach was far narrower than the 33.7 million accounts accessed. The letter states that the breach “only resulted in limited, non-sensitive information being retained for around 3,000 customers that has since been recovered.” The same line of defense also surfaces in the ISDS notice of intent and the USTR section 301 petition.
Against this backdrop, on February 10, 2026, South Korea’s Ministry of Science and ICT (MSIT) briefed its initial findings and released a report from a joint public-private investigation, concluding that the user data of roughly 33.7 million customers – including names and emails addresses – had been leaked. The perpetrator also accessed a “shipping address list” page roughly 148 million times, confirming that information – including names, phone numbers, delivery addresses, and building entry codes – was leaked as well, which suggests that the actual scale of the leak could be even greater. In addition, MSIT revealed that the former Coupang engineer – reportedly having left the company in January 2025 – exploited flaws in Coupang’s authentication process, and the breach continued for seven months beginning in April 2025. MSIT described that “it is clearly a management problem, hard to view it as a sophisticated attack,” and added, “[unauthorized] access counts as a leak.”
However, following the MSIT briefing, Coupang Inc. immediately put out a statement reiterating that while its ex-employee accessed data from more than 33 million accounts, he retained data from about 3,000 accounts, and they were later deleted. The company also underscored that highly sensitive information, such as payment data and passwords, were not accessed, and there is no evidence of any secondary harm. Amid disputes over what constitutes a leak or breach – “data access” versus “data retention”– the Science Minister challenged Coupang’s “only 3,000 accounts retained” argument at the National Assembly, saying that the perpetrator could have stored data from the accessed 33 million accounts on a hard drive or in the cloud, but “Coupang has not clearly explained these points.”
Coupang’s Discrimination Argument – And the China Frame
Before the Coupang saga, on November 13, 2025, the U.S. and South Korea inked a deal on tariffs and investments, and their joint fact sheet included language on digital trade, committing to “ensure that U.S. companies are not discriminated against and do not face unnecessary barriers in terms of laws and policies concerning digital services, including network usage fees and online platform regulations, and to facilitate cross-border transfer of data, including for location, reinsurance, and personal data.” Amid Seoul’s growing push for digital rules and Washington’s pressure against it, the two sides then agreed to a ceasefire with the broad, principle-level language, leaving differing interpretations of “discrimination” unresolved.
Starting in January 2026, the name “Coupang” began surfacing repeatedly on the Hill, invoked by some members of Congress at a hearing and raised during a closed-door congressional meeting involving South Korea’s Trade Minister. On January 13, during the House Ways and Means Trade Subcommittee hearing titled “Maintaining American Innovation and Technology Leadership,” Subcommittee Chairman Adrian Smith referenced the U.S.-Korea joint fact sheet and claimed, “Korean regulators already seem to be aggressively targeting U.S. technology leaders. One example would be Coupang through discriminatory regulatory actions.” Rep. Suzan DelBene chimed in defending Coupang, headquartered in her home state, and Rep. Carol Miller also referenced Coupang and the scrutiny its American executives were going through in Seoul, calling it “a political witch hunt.” Yet no Representative mentioned Coupang’s data leak in South Korea.
Amid brewing tensions, the Coupang issue quickly escalated after President Trump’s unexpected social media post on January 26, saying he would raise tariffs on South Korean goods from the negotiated 15 percent back to 25 percent, on the basis that “South Korea’s legislature is not living up to its deals with the United States.” As debate swirled over the reasons behind the abrupt return to 25 percent, U.S. House Judiciary Republicans shared Trump’s post on X and wrote “This is what happens when you unfairly target American companies like Coupang.” The message – reposted by Committee Chairman Jim Jordan and Subcommittee Chairman Scott Fitzgerald – raised fresh questions about whether Coupang may have influenced Trump’s tariff decision. Rep. Darrell Issa, who also sits on the House Judiciary Committee, shared Trump’s post and warned “Failure to live up to agreements and the targeting of American companies and the American citizens who make up their workforce – particularly Coupang – won’t be tolerated by this Congress or this President.”
The timing also came as a shock, coming on the heels of Korean Prime Minister Kim Min-seok’s visit to Washington to meet with U.S. Vice President JD Vance on January 23. Kim had acknowledged that the Coupang issue, among others, first came up in the meeting, but confidently told reporters that “The South Korea-U.S. relationship, historically and under the Lee Jae-myung administration, has gone beyond a level where a specific company could sway it through lobbying.”
Kim’s comment was partially a response to the Coupang investors’ notice of intent for ISDS – filed against Seoul just a day before his meeting with Vance – which includes claims suggesting Korea’s Lee Jae-myung administration is drawing close to China, for example “the [Korean] Government is using the pretext of a limited data breach at Coupang perpetrated by a Chinese threat actor… to try and eliminate a successful U.S. company’s ability to compete with the Korean and Chinese companies that the [Korean] Government favors.” The notice also says, “President Lee is a polarizing figure in Korea… due in part to concerns that he will reorient Korea economically, politically, and militarily away from the United States… and toward an increasingly aggressive China committed to regional hegemony.”
Among the first two investors to file the ISDS notice and the USTR petition – Greenoaks and Altimeter – Greenoaks founder Neil Mehta sits on Coupang’s board, along with the newly nominated U.S. Federal Reserve Chair Kevin Warsh.
Since the data leak, the perpetrator’s Chinese nationality has played into a narrative that the incident was a foreign cyberattack rather than an internal security failure. Casting itself as a victim of Chinese hack helps Coupang bolster its claim that the Korean government is “discriminating” against the “American” technology company in favor of its Korean and Chinese competitors. This narrative is clearly shown in the ISDS notice stating, “President Lee seized his opportunity late last year, when Coupang was the victim of a limited data breach perpetrated by a Chinese former employee based in China.”
Furthermore, the concurrent data breaches in Seoul involving three major domestic telecom operators – SK Telecom (SKT), KT, and LG Uplus – which faced relatively lighter political scrutiny, have strengthened Coupang’s claim that Korea’s regulatory stance is selective and unfair. This narrative is also shown in the petition to USTR arguing that the intensity of the Korean government’s response is “completely disproportionate to how the [Korean] Government has reacted to data incidents at Korean companies and non-U.S. foreign companies, including Chinese businesses.”
Specifically, based on Coupang’s “only 3,000 accounts retained” argument, the complaint cites the SKT’s massive cyberattack, claiming that it involves “SIM card data from 23 to 27 million customers,” which “represents a breach of the data of more than 7,000 times the number of customers whose data was downloaded in the Coupang incident.” The complaint adds, “yet the Korean Government imposed a fine against SKT of $91 million, more than eight times smaller than the fine President Lee hoped to impose on Coupang.”
However – setting aside the penalties for the Korean telecom operators, including SKT, which have yet to be finalized – the most evident difference is that the Chinese perpetrator was a Coupang employee, which weakens the “victim of a Chinese cyberattack” narrative, as well as the “discrimination” argument. While the SKT, KT, and LG Uplus breaches have all been attributed to external actors, Coupang’s data leak has been found, according to investigators, to be rooted in internal mismanagement. This distinction, among other factors, helps explain why public and regulatory reactions in Seoul have been sharper toward Coupang.
In the “discrimination” context, it is also noteworthy that American companies have historically faced intense regulatory scrutiny and substantial financial penalties for similar data breaches in the U.S. Most notably, T-Mobile agreed to pay $350 million – and to spend an additional $150 million to upgrade data security – to settle class-action lawsuits in 2022 following a 2021 breach that compromised the sensitive data of over 76 million people. In 2024, the company reached a further $31.5 million settlement with the Federal Communications Commission (FCC) to resolve investigations into multiple security failures between 2021 and 2023. Similarly, AT&T reached a $177 million class-action settlement in 2025 to resolve litigation from two major data incidents disclosed in 2024, and the FCC’s ongoing inquires could also result in substantial financial penalties or a costly settlement.
Looking Ahead – The “American-in-name-only” Precedent
In Coupang’s case, beyond numerous individual and group damages suits filed by users in Seoul courts, several consumer class actions have also been brought against the company in the U.S., where punitive damages are typically far more substantial than in Korea. More significantly, both Korean and American shareholders have filed separate securities class actions against Coupang in U.S. courts, shifting the focus from Korean users harmed by the data leak to U.S.-market shareholders claiming financial losses from the subsequent stock decline.
With the harm claimed in these lawsuits now extending beyond Korean Coupang users to U.S. Coupang investors and shareholders, the issue now gives Congress ample reason to pay attention, not simply through the lens of shielding the “American” technology company from foreign regulatory scrutiny, but also as a matter of protecting the integrity of the U.S. stock market. Following MSIT’s briefing on the technical analysis, Korea’s police and the Personal Information Protection Commission are also expected to release their findings as the investigation into the data leak continues – updates that could further shape the many lawsuits now unfolding across jurisdictions.
Ultimately, what the Coupang case and its data leak underscore is that the outcome will matter far beyond a single e-commerce company. It may set expectations for a broader class of “American-in-name-only” technology companies – incorporated, listed, and headquartered in the United States, yet with little or no operations in the country – on how readily they can invoke an American identity. If turning to lobbying in Washington in moments of crisis becomes an effective playbook for blunting regulatory scrutiny in the jurisdictions where they actually do business – even when doing so could risk complicating U.S. relations with allies and partners – it could only give rise to more Coupang-like companies, draped in the American flag, while operating only minimally in America.