Coupang may be best known as South Korea’s Amazon. Yet the company now finds itself at the center of a controversy that reveals structural weaknesses in the country’s data governance framework.

In late 2025, Coupang disclosed that personal information linked to approximately 33.7 million customer accounts in South Korea had been exposed. In a country of 51.6 million people, the scale of the breach stunned the public and triggered immediate political backlash. Lawmakers soon summoned the company’s founder and chair, Bom Kim, to testify before the National Assembly.

Ordinarily, a major corporate data breach in South Korea follows a familiar script: public apology, regulatory scrutiny, financial penalties, and civil litigation. But the Coupang episode quickly broke that pattern. Bom Kim declined to attend the National Assembly hearing, citing prior commitments. Lawmakers responded by filing a legal complaint over his absence. Harold Rogers, the interim CEO of Coupang’s Korean subsidiary, appeared before legislators but clashed with them during the hearing.

What initially appeared to be a domestic regulatory matter soon escalated into an international trade issue. U.S. lawmakers criticized the Korean government for what they described as unfair targeting of an American company. U.S. investors explored trade complaint mechanisms under the U.S.-South Korea free trade agreement. When Vice President J.D. Vance met South Korean Prime Minister Kim Min-seok, he reportedly urged a fair resolution. More recently, the U.S. House Judiciary Committee subpoenaed Rogers as part of a hearing examining South Korea’s treatment of American firms.

What explains this escalation? Part of the answer lies in how corporate accountability is enforced in South Korea. Collective litigation mechanisms remain comparatively underdeveloped, leaving administrative enforcement and parliamentary hearings to play outsized roles in high-profile corporate scandals. In that institutional context, declining to testify or publicly clashing with lawmakers is often interpreted as disregard for public concerns, prompting legislators to respond visibly and forcefully.

The deeper reason the controversy did not remain domestic, however, lies in Coupang’s legal and political positioning in the United States. Although its commercial center of gravity is South Korea, Coupang is headquartered in Seattle and listed on the New York Stock Exchange. That corporate structure made it easier for the issue to be reframed not merely as a Korean consumer protection case, but as a broader question of how a U.S.-based firm is treated abroad.

Coupang’s Washington footprint added further fuel. Since its 2021 public listing, the company has reportedly spent more than $10 million on federal lobbying. Following Donald Trump’s reelection in 2024, it donated $1 million to the Trump-Vance inaugural committee. Its political action committee has contributed to lawmakers and party committees from both parties. Coupang has also partnered with the Commerce Department’s International Trade Administration to help U.S. businesses reach Korean consumers, positioning itself as a conduit for American export interests.

It remains uncertain whether the confrontation will escalate or subside in the near term. From the perspective of Korean consumers, however, the central issue is not simply whether tensions ease, but whether the outcome delivers meaningful improvements in data protection and establishes credible enforcement mechanisms that do not repeatedly spill into diplomatic friction.

The Coupang breach exposes structural weaknesses in national data protection mechanisms. As daily life becomes increasingly dependent on digital networks, cybersecurity and data governance systems have repeatedly revealed serious vulnerabilities. In 2025, all three major mobile carriers in South Korea reportedly experienced data leaks tied to cybersecurity breaches. Lotte Card, a major credit card issuer, suffered a large-scale personal data breach following a hacking attack. Without fundamental reforms to strengthen national cybersecurity and data governance, the risk of future breaches will only grow.

This episode also demonstrates that in a globalized economy, enforcement actions against corporate breaches can quickly escalate into trade disputes. Diplomatic controversy can divert attention from the structural reforms that effective data governance requires. When framed as a cross-border confrontation, reform becomes vulnerable to political priorities, whether to penalize a foreign firm or to avoid diplomatic fallout. This politicization complicates the already difficult task of modernizing national data governance.

South Korea’s focus should therefore extend beyond a single company and beyond the immediate goal of defusing diplomatic tensions. The deeper imperative is to modernize privacy governance in a way that strengthens resilience against both cyber threats and geopolitical pressure. In an increasingly globalized and data-driven economy, the urgency of reform will only intensify.