A recent KYC (Know Your Customer) data exposure at Total Fitness, a members-only club in the UK, left personal details of its members exposed online. This was revealed by cybersecurity researcher Jeremiah Fowler who found that a misconfigured database contained not only personal details but photos of members and staff available for public download with any password or security authentication.
For your information, Total Fitness is a chain of health clubs with 15 locations in North England and Wales. According to Fowler’s investigation, published by vpnMentor and shared exclusively with Hackread.com, the database had half a million (474,651) images, while the entire dataset was worth over 47.7 GB of data including facial images of gym employees, members, and children.
Some images were taken by staff during membership processes and the Total Fitness logo was visible in the background. Most of the images were self-submitted by members or their parents/guardians. Additionally, there were documents containing highly sensitive information such as the following:
- Full names
- Utility bills
- Credit cards
- Phone numbers
- Email addresses
- Home addresses
- Passports with employees’ immigration details
Fowler claims that it is unclear how many images contained sensitive data, whether they were from Total Fitness’ online member portal or the Total Fitness mobile app, how long the database was publicly accessible, or if anyone else with malicious intent gained access.
Total Fitness is currently conducting a full audit of all member images, contacting all members whose images were identified and removing them. They have also notified the Information Commissioner’s Office (ICO), the UK’s data protection regulator, and will cooperate on related inquiries.
“It shows professionalism and responsibility when an organization has a data incident and takes proper steps to address the issue publicly and to notify potentially affected individuals,” Fowler opined in his report.
However, the potential consequences of such data leaks can be extensive. Artificial intelligence and facial recognition technology have made it easier to identify individuals based on pictures. Fowler analyzed a limited sample of images using an open-source reverse image search tool and could identify several members based on their profile pictures.
Such incidents also raise privacy concerns about how companies collect and store images of customers, as well as who has access to them. Total Fitness must review and enhance its data security practices to prevent similar incidents in the future.
Members should also take proactive measures to protect their data, including updating their login credentials, monitoring accounts for suspicious activity, and being wary of possible phishing attempts.
RELATED TOPICS
- Data Leak Exposes Business Leaders and Top Celebrity Data
- Hackers Attack UK’s Nuclear Waste Services Through LinkedIn
- Data Leak Exposes 500GB of Indian Police, Military Biometric Data
- Major UK Security Provider Leaks Trove of Guard and Suspect Data
- Trove of UK Student Records Exposed in School Software Server Leak
- Personal data of 600,000 customers of U.S. fitness chain exposed Online