Ster-Kinekor website flaw puts 7 million users' data at risk

Ster-Kinekor
Ster-Kinekor

Johannesburg - Up to 7 million South Africans have purportedly fell victim to a data leak on a website belonging to local movie theatre chain Ster-Kinekor. 

Earlier this week, an online resource dubbed 'haveibeenpwned.com', which helps users find out if any of their accounts have been compromised, tweeted about the compromise saying that “Ster-Kinekor had 1.6 million accounts exposed in 2017”.

The tweet came after Durban software developer, Matt Cavanagh, recently announced that he had discovered a flaw in the Ster-Kinekor booking website and had reported it to the company. 

What do you make of Ster-Kinekor's leak? Tell us your thoughts by clicking here.

“As of right now, it isn't clear if anyone has been directly affected. But I highly recommended that if users previously used the same password on Ster-Kinekor and other systems, then they go change them to be unique. It is important to never use a password twice,” Cavanagh told Fin24.

“In total, there were between 6 and 7 million users in the database. Of those, 1.6 million have email addresses associated with them,” he added. 

READ: Yahoo hack: Password breach could have ripple effects

Cavanagh said that there was basically a vulnerability in the back-end system of the old Ster-Kinekor website that allowed anyone to get the data: names, addresses, emails, phone numbers, and passwords of every user.

“Right now, it is impossible to say if someone has all this data. If someone does, they can potentially gain access to other systems that the users use the same password for,” he said.

“A smaller worry is that it is a massive mailing list that someone could use, along with having personal information like phone numbers and home addresses,” Cavanagh told Fin24. 

READ: SA cyber security firm fights mobile payment breaches

The flaw was brought to the attention of Ster-Kinekor which has since reportedly rectified the issue by switching to a new system called Vista, which removed this vulnerability.

Cavanagh said that he had notified the company of the issues in late 2016.

“They were receptive to hearing about it, but it did take them longer than I initially hoped to fix it,” he told Fin24. 

He said that he had previously discovered flaws such as this on a large scale but "not nearly as big as this one”.

“If a company (i.e. Ster-Kinekor) doesn't have the in-house skill to test the security of their systems, then it is possible to contract external security consultants,” he said. 

Fin24 reached out to Ster-Kinekor for comment but the company has not yet responded. 

Read Fin24's top stories trending on Twitter:

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For only R75 per month, you have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today.
Subscribe to News24
ZAR/USD
16.39
(-0.28)
ZAR/GBP
21.19
(+0.32)
ZAR/EUR
19.14
(+0.48)
ZAR/AUD
11.53
(+0.15)
ZAR/JPY
0.16
(+0.14)
Gold
1869.40
(-0.52)
Silver
23.33
(-0.34)
Platinum
851.01
(-2.06)
Brent Crude
39.48
(-4.73)
Palladium
2193.00
(-2.25)
All Share
51896.97
(-0.79)
Top 40
47576.46
(-0.74)
Financial 15
9756.70
(-2.69)
Industrial 25
72681.12
(-0.25)
Resource 10
47826.96
(-0.63)
All JSE data delayed by at least 15 minutes morningstar logo
Company Snapshot
Voting Booth
Please select an option Oops! Something went wrong, please try again later.
Results
Yes, and I've gotten it.
23% - 133 votes
No, I did not.
51% - 290 votes
My landlord refused
26% - 151 votes
Vote