It was confirmed on the 17th that personal information generated as consumers use the exclusive ticket reservation service of Coupang Play, the online video service (OTT) operated by Coupang, is being handled in a structure that Coupang cannot directly manage or check and verify.
To buy tickets for major concerts and sports events such as singer G-Dragon (GD)'s concert and soccer player Son Heung-min's Korea match, users must create a Coupang account (ID) and join the paid Wow membership. However, regarding the personal information registered and processed in that process, Coupang said it "cannot check because an external partner processes it." Critics say this has created a gap in accountability for personal information management.
According to materials submitted by the office of Lee Sang-hwi, a member of the People Power Party on the Science. ICT. Broadcasting. and Communications Committee, by Coupang, Coupang Play ticket reservations are made by logging in with a Coupang account (One ID) and then using a separate purchase page operated by an external partner. In this process, the user's name and member number are provided to the external partner. At that time, the collection and processing of key personal information necessary for purchasing tickets, such as seat selection, payment, and delivery address/recipient information, are handled by the external partner.
Coupang Play Tickets is an exclusive service available only to Wow members among Coupang users. If a nonmember wants to see the concert or sports match, they must create a Coupang account and sign up for Wow membership. Coupang's position is that it cannot directly inspect or verify the personal information generated in that process.
In particular, regarding the recent personal information breach involving 33.7 million cases, Coupang said, "Coupang Play ticket purchase information is not shared with Coupang, so it is hard to see it as part of this breach." However, logs, databases (DB), and access permission (IAM) structures that could verify this are being withheld, citing trade secrets.
Security management is also delegated to the external partner. Coupang says it does not apply separate in-house security policies related to Coupang Play ticket purchases. In particular, it did not disclose the personal information access permission assignment table or API/DB access logs, saying the partner manages them. Coupang said, "Personal information processing with the external partner is being carried out in compliance with relevant laws," adding, "We also obtain users' prior consent regarding personal information."
Lee Sang-hwi of the People Power Party said, "Tickets exclusively sold on Coupang Play are a service run solely by Coupang. In effect, without using it, users cannot access the content," adding, "After making it so users have no choice but to use Coupang, leaving the management and responsibility for protecting the personal information generated in that process solely to an external partner is poor management and an evasion of responsibility." He continued, "If Coupang truly has no responsibility, the first step is to submit verification materials such as relevant log records and access permission structures."