Fit confirms data on a million members stolen in cyberattack

Names, addresses, dates of birth, and bank details accessed, though not passwords
Basic-Fit, Europe's largest gym chain, has confirmed data including the bank details of around a million customers was stolen from its systems.

Around 200,000 members in the Netherlands alone had their data snatched in a recent cyberattack, the company confirmed on Monday morning via emails sent to those affected.

"Today, Basic-Fit has notified the relevant data protection authority concerning unauthorized access to the system that records members' visits to Basic-Fit clubs," it said .

"The unauthorized access was detected by our system monitoring processes and was stopped within minutes of discovery.

The members whose data is involved have been informed."
Basic-Fit said in a press release that "several countries" were affected but did not name them explicitly.

It told The Register , however, that members in six countries were hit: Belgium, France, Germany, Luxembourg, and Spain, in addition to the Netherlands.

Basic-Fit only confirmed the total number of affected members after The Register pressed the company for the figures.

A spokesperson told us it could "confirm it involved members [in] all six countries – NL, Belgium, Luxembourg, France, Spain, and Germany, and in total around 1 million members were involved."
They added: "All were affected in the same way – it is one system containing data on members' visits to clubs, and that is not a specific Dutch or French system.

For all, it concerned the same data.

How they could access the system, who did it, and how is now part of the investigation that we are conduct[ing] with external specialists."
Bank details were also stolen, Basic-Fit confirmed, although passwords were not accessed, and the company does not store copies of identity documents.

Across its two brands, Basic-Fit and Clever Fit, the company has around 5.8 million registered members in total, and operates more than 2,150 budget-friendly gyms across 12 countries in Europe, although Belgium, France, Germany, the Netherlands, and Spain comprise its biggest markets.

Basic-Fit told customers that it is not currently aware of any member data appearing online, either for free or for sale, but it continues to monitor the situation.

In the same disclosure emails, the company advised customers to watch out for potential phishing attempts, and to contact the company via official channels to verify the legitimacy of any suspicious communications.

®