Thought Leadership
Hackers gained unauthorized access to the systems of Europe’s largest gym chain Basic-Fit and made off with personal data including names, addresses, and bank details.
Dutch fitness giant has confirmed a successful cyberattack on its IT infrastructure, in which attackers gained access to data belonging to around one million members. The company operates more than 1,700 owned clubs and over 430 franchise locations across twelve countries, making it the largest gym chain in Europe. Its markets include the Netherlands, Belgium, France, Spain, and Germany.
In a disclosure published on its website, Basic-Fit stated that affected members had already been notified directly. The company also informed the relevant data protection authority about the unauthorized access to the system that records members’ club visits. According to Basic-Fit, the intrusion was detected by its own monitoring systems and stopped within minutes of discovery.
Despite the apparently swift response, an investigation carried out with external security experts found that the attackers had already exfiltrated data. A company spokesperson told BleepingComputer that the total number of affected individuals across the Netherlands, Belgium, Luxembourg, France, Spain, and Germany is around one million. The official disclosure had initially only mentioned 200,000 affected persons in the Netherlands.
“An investigation conducted by external security experts has shown that some of the data stored in the system was downloaded. The downloaded data concerns active members in several countries. In the Netherlands, around 200.000 members are affected. The data concerns membership information, name and address details, email addresses, phone numbers, dates of birth and bank account details. Basic-Fit does not hold identification documents of members and no passwords were accessed.”
Source: Basic-Fit
Franchise data not affected
Basic-Fit says its investigation has so far found no evidence that the stolen data has been published online. The company intends to continue monitoring the situation with external support. Affected members should nonetheless remain vigilant: with bank details and contact information in the hands of attackers, the risk of phishing attempts and other fraud is significant.
