Ster-Kinekor website flaw puts 7 million users' data at risk

Johannesburg - Up to 7 million South Africans have purportedly fell victim to a data leak on a website belonging to local movie theatre chain Ster-Kinekor. 

Earlier this week, an online resource dubbed '', which helps users find out if any of their accounts have been compromised, tweeted about the compromise saying that “Ster-Kinekor had 1.6 million accounts exposed in 2017”.

The tweet came after Durban software developer, Matt Cavanagh, recently announced that he had discovered a flaw in the Ster-Kinekor booking website and had reported it to the company. 

What do you make of Ster-Kinekor's leak? Tell us your thoughts by clicking here.

“As of right now, it isn't clear if anyone has been directly affected. But I highly recommended that if users previously used the same password on Ster-Kinekor and other systems, then they go change them to be unique. It is important to never use a password twice,” Cavanagh told Fin24.

“In total, there were between 6 and 7 million users in the database. Of those, 1.6 million have email addresses associated with them,” he added. 

READ: Yahoo hack: Password breach could have ripple effects

Cavanagh said that there was basically a vulnerability in the back-end system of the old Ster-Kinekor website that allowed anyone to get the data: names, addresses, emails, phone numbers, and passwords of every user.

“Right now, it is impossible to say if someone has all this data. If someone does, they can potentially gain access to other systems that the users use the same password for,” he said.

“A smaller worry is that it is a massive mailing list that someone could use, along with having personal information like phone numbers and home addresses,” Cavanagh told Fin24. 

READ: SA cyber security firm fights mobile payment breaches

The flaw was brought to the attention of Ster-Kinekor which has since reportedly rectified the issue by switching to a new system called Vista, which removed this vulnerability.

Cavanagh said that he had notified the company of the issues in late 2016.

“They were receptive to hearing about it, but it did take them longer than I initially hoped to fix it,” he told Fin24. 

He said that he had previously discovered flaws such as this on a large scale but "not nearly as big as this one”.

“If a company (i.e. Ster-Kinekor) doesn't have the in-house skill to test the security of their systems, then it is possible to contract external security consultants,” he said. 

Fin24 reached out to Ster-Kinekor for comment but the company has not yet responded. 

Read Fin24's top stories trending on Twitter:

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For 14 free days, you can have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today. Thereafter you will be billed R75 per month. You can cancel anytime and if you cancel within 14 days you won't be billed. 
Subscribe to News24
Show Comments ()
Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.

Government tenders

Find public sector tender opportunities in South Africa here.

Government tenders
This portal provides access to information on all tenders made by all public sector organisations in all spheres of government.
Browse tenders