Basic-Fit gym group data breach exposes details of over 1 million members — here's what we know

The company confirmed the news in a data breach notification email sent to affected individuals, as well as in a press release and statements given to the media.

“Today, Basic-Fit has notified the relevant data protection authority concerning unauthorized access to the system that records members’ visits to Basic-Fit clubs,” the press release reads. “The unauthorized access was detected by our system monitoring processes and was stopped within minutes of discovery."

Passwords are safe

While the announcement did not say how many people were involved, a spokesperson told The Register the affected customers live in all six countries where Basic-Fit operates: The Netherlands, Belgium, Luxembourg, France, Spain, and Germany.

“In total around 1 million members were involved," they told the publication. Of that number, around 200,000 are located in The Netherlands, apparently.

So far, no threat actors claimed responsibility for the attack. They stole people’s names, postal addresses, email addresses, phone numbers, dates of birth, and bank account details.

We don’t know what they mean by “bank account details”. Usually, companies only store the last four digits of a person’s credit card number on their server - full payment data is generally stored elsewhere.

“Basic-Fit does not hold identification documents of members and no passwords were accessed,” it concluded. So far, there is no evidence of the data being misused, but it’s safe to expect phishing emails being sent out in the coming weeks.

The company running Basic-Fit also owns Clever Fit, a German gym chain. Combined, the two have around 5.8 million registered members, according to The Register, and operate more than 2,150 budget-friendly gyms in 12 countries across Europe.