Ster-Kinekor website flaw puts 7 million users' data at risk

Johannesburg - Up to 7 million South Africans have purportedly fell victim to a data leak on a website belonging to local movie theatre chain Ster-Kinekor. 

Earlier this week, an online resource dubbed 'haveibeenpwned.com', which helps users find out if any of their accounts have been compromised, tweeted about the compromise saying that “Ster-Kinekor had 1.6 million accounts exposed in 2017”.

The tweet came after Durban software developer, Matt Cavanagh, recently announced that he had discovered a flaw in the Ster-Kinekor booking website and had reported it to the company. 

What do you make of Ster-Kinekor's leak? Tell us your thoughts by clicking here.

“As of right now, it isn't clear if anyone has been directly affected. But I highly recommended that if users previously used the same password on Ster-Kinekor and other systems, then they go change them to be unique. It is important to never use a password twice,” Cavanagh told Fin24.

“In total, there were between 6 and 7 million users in the database. Of those, 1.6 million have email addresses associated with them,” he added. 

READ: Yahoo hack: Password breach could have ripple effects

Cavanagh said that there was basically a vulnerability in the back-end system of the old Ster-Kinekor website that allowed anyone to get the data: names, addresses, emails, phone numbers, and passwords of every user.

“Right now, it is impossible to say if someone has all this data. If someone does, they can potentially gain access to other systems that the users use the same password for,” he said.

“A smaller worry is that it is a massive mailing list that someone could use, along with having personal information like phone numbers and home addresses,” Cavanagh told Fin24. 

READ: SA cyber security firm fights mobile payment breaches

The flaw was brought to the attention of Ster-Kinekor which has since reportedly rectified the issue by switching to a new system called Vista, which removed this vulnerability.

Cavanagh said that he had notified the company of the issues in late 2016.

“They were receptive to hearing about it, but it did take them longer than I initially hoped to fix it,” he told Fin24. 

He said that he had previously discovered flaws such as this on a large scale but "not nearly as big as this one”.

“If a company (i.e. Ster-Kinekor) doesn't have the in-house skill to test the security of their systems, then it is possible to contract external security consultants,” he said. 

Fin24 reached out to Ster-Kinekor for comment but the company has not yet responded. 

Read Fin24's top stories trending on Twitter:

Read more on: ster-kinekor