European Gym giant Basic-Fit data breach affects 1 million members

European Gym Giant Basic-Fit Data Breach Affects 1 Million Members

1. Overview

• Basic-Fit disclosed a cyber incident involving unauthorized access to the system that records members’ visits to its clubs.
• The breach was detected by internal monitoring, and the unauthorized access was stopped within minutes of discovery.
• An investigation with external security experts determined that data belonging to a portion of Basic-Fit members was exfiltrated.

1. Company footprint

• Basic-Fit is described as the largest gym chain in Europe, with more than 1,700 clubs and over 430 franchises.
• The company operates across 12 countries, including the Netherlands, Belgium, France, Spain, and Germany.
• The publicly stated member base for Basic-Fit’s European network is around five million members across its gyms.

1. Incident details and response

• The breach involves information tied to members’ visits and membership data, rather than franchise-level data.
• Basic-Fit notified the relevant data protection authorities about the unauthorized access.
• The company stated that the breach was contained quickly, and the investigation is continuing with the support of external cybersecurity professionals.

1. Data exposed

• Exposed personal data reportedly includes:
• Full name
• Physical address
• Email address
• Phone number
• Date of birth
• Bank account details
• Other membership-related information
• Importantly, the breach did not involve access to customer identification documents or passwords.
• Data tied to Basic-Fit franchises themselves was not exposed because it resides on a separate system.

1. Geographic scope and affected numbers

• In the Netherlands, the disclosed figure was 200,000 affected individuals.
• A spokesperson later stated that the total number of affected members across the Netherlands, Belgium, Luxembourg, France, Spain, and Germany is around 1 million.
• Basic-Fit emphasized that its European gym network comprises roughly five million members, providing context for the scale of the organization.

1. Data retention, deletion, and access in apps

• Under European Union data retention laws, Basic-Fit is required to delete personal data and membership information after two years.
• Data within the My Basic-Fit app can be accessed by customers one year after termination of membership.
• Information in the app should be automatically removed two months after uninstalling the app from a device or upon membership termination.

1. Investigation status and monitoring

• The initial assessment did not indicate that the data had been leaked publicly online.
• Basic-Fit will continue monitoring the situation with ongoing support from external security experts to assess potential further exposure or risk.

1. Context and clarifications

• Basic-Fit’s disclosure distinguishes between data held at corporate systems and data maintained at franchise-specific systems, noting that the latter was not exposed in this incident.
• The incident highlights the importance of rapid detection and containment, as well as the role of third-party security experts in validating the scope and impact of a breach.
• While the breach is described in terms of member data exposure, no explicit guidance is provided here about remediation steps for individual members; the explicit focus is on what was affected, the scope, and the company’s stated responses and safeguards.