Dutch fitness giant Basic-Fit announced that hackers breached its systems and gained access to information belonging to a million of its customers.
The company operates the largest gym chain in Europe, owning more than 1,700 clubs and over 430 franchises in 12 countries, including the Netherlands, Belgium, France, Spain, and Germany.
In a disclosure published on its website earlier today, Basic-Fit states that club members impacted by the cyberattack have been informed directly.
“Today, Basic-Fit has notified the relevant data protection authority concerning unauthorized access to the system that records members’ visits to Basic-Fit clubs,” reads the notification.
“The unauthorized access was detected by our system monitoring processes and was stopped within minutes of discovery.”
Despite the claimed quick response, an investigation conducted with the help of external security experts found that the attacker exfiltrated data belonging to some Basic-Fit members, which includes the following:
- Full name
- Physical address
- Email address
- Phone number
- Date of birth
- Bank account details
- Other membership information
It is important to note that customer data at Basic-Fit franchises has not been exposed in the incident, as it is stored on a separate system.
In the public disclosure, the company specified that the number of affected individuals in the Netherlands is 200,000. However, a spokesperson told BleepingComputer that the total number is around 1 million members in the Netherlands, Belgium, Luxembourg, France, Spain, and Germany.
The Basic-Fit representative noted that the gyms across Europe have around five million members.
According to the official disclosure, no identification documents or account passwords were accessed as a result of the data breach.
Based on data retention laws in the European Union, Basic-Fit is required to delete all personal data and membership automatically after two years.
Customers can access data in their My Basic-Fit app one year after termination. Information in the app should be removed automatically two months after uninstalling it from the device, and upon membership termination.
Basic-Fit says that its investigation of the incident’s impact did not reveal that the data was leaked online. Nevertheless, the company will continue to monitor with the help of external experts.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
