Basic-Fit said hackers gained unauthorized access to a system that records members’ visits to its clubs and accessed data tied to about 1 million customers across Europe, including names, addresses, email addresses, phone numbers, birth dates and bank account details.
KEY FACTS
- Company Basic-Fit runs more than 1,700 clubs and over 430 franchises in 12 countries.
- Exposure The incident affected members in the Netherlands, Belgium, Luxembourg, France, Spain and Germany.
- Data Exposed information included contact details, date of birth, bank account details and other membership data.
- Response The unauthorized access was detected by monitoring systems and stopped within minutes, according to the disclosure.
- Scope No identification documents or account passwords were accessed, and franchise customer data was not exposed.
The Dutch gym chain said it notified the relevant data protection authority and informed affected members directly. Its investigation, with help from external security experts, found that data from some members had been exfiltrated.
The company said it has not found evidence that the data was published online. Basic-Fit also said personal data is normally deleted after two years under EU retention rules, while app data should be removed automatically after membership ends or the app is uninstalled.
Basic-Fit said the number of affected people in the Netherlands is 200,000, while a spokesperson said the total across its European markets is about 1 million. The chain said it has about 5 million members in total.
WHY IT MATTERS
The breach involves personal and financial information that could be used for fraud or phishing. It also shows how a compromise in a member-tracking system can affect customers across multiple countries even when passwords and identity documents are not exposed.