European gym chain Basic-Fit confirmed on Monday that hackers breached its systems, resulting in the unauthorized download of personal data belonging to roughly one million members. The breach affected customers across the Netherlands, Belgium, Luxembourg, France, Spain, and Germany.
The Netherlands-based company stated that the compromised information includes names, addresses, phone numbers, email addresses, dates of birth, and bank details. Attackers also accessed membership-specific data, such as subscription numbers, subscription types, and records of recent gym visits.
Basic-Fit emphasized that the intrusion was identified and halted within minutes. Despite the swift response, the company acknowledged that the attackers had already successfully downloaded the data before security measures took effect.
“The investigation so far has not shown the data being available anywhere or having been misused,” the company said in a statement. Basic-Fit also confirmed that passwords and official identity documents remain secure and were not involved in the incident.
Scope of the attack
According to reports from Dutch media, the attackers targeted a central system that consolidates member data from multiple international markets. Of the one million affected individuals, approximately 200,000 are based in the Netherlands.
Basic-Fit operates more than 2,150 gyms across 12 countries, serving a total of five million members. The chain stands as one of the largest fitness operators in Europe.
Following the discovery, the company notified the Dutch Data Protection Authority and initiated a formal investigation into the origins of the attack. They are currently working to determine how the threat actors gained entry to their internal systems.
Impacted members have begun receiving email notifications regarding the leak. The company has advised these customers to be particularly cautious of potential phishing attempts, though it noted that no immediate action is required from users at this time.
Social media users across Spain, France, and the Netherlands have reported receiving the company's alert. The notification explicitly states, "With this message, we inform you about an unauthorized download of Basic-Fit data."
