Multiple data breaches reported

Three separate breach disclosures in April exposed gym member records, travel reservation data and parts of Nigeria’s corporate registry within days of each other. (corporate.basic-fit.com, bleepingcomputer.com, thenigerialawyer.com) Basic-Fit said on April 13 that attackers accessed a system used to record club visits and downloaded member data. Dutch broadcaster NOS, cited by NL Times, reported about 200,000 members in the Netherlands were affected, while other reports based on company notices put the Europe-wide total near 1 million. (corporate.basic-fit.com, nltimes.nl, theregister.com) Basic-Fit said the stolen fields included names, home and email addresses, phone numbers, dates of birth and bank account details, but not passwords or identity documents. The company said it detected and stopped the intrusion within minutes and notified affected members. (corporate.basic-fit.com, nltimes.nl) Booking.com separately told customers that unauthorized third parties may have accessed booking information tied to specific reservations. The company reset reservation PINs and said it had contacted affected guests directly by email. (bleepingcomputer.com, techcrunch.com) Reports citing Booking.com’s notice said the exposed data included full names, email addresses, postal addresses, phone numbers and messages shared with properties through the platform. Booking.com did not publicly disclose how many users were affected. (bleepingcomputer.com, theregister.com) In Nigeria, the Corporate Affairs Commission said on April 15 that it was reviewing “unauthorised access to limited aspects” of its information systems and had activated response protocols with the National Information Technology Development Agency. The commission did not confirm the size of the exposure or identify which records were accessed. (thenigerialawyer.com) That matters because the Corporate Affairs Commission is Nigeria’s official corporate registry, responsible for incorporation records, company filings and post-registration changes for businesses and organizations. Its website describes the registry as the system used to register, search and verify Nigerian businesses. (cac.gov.ng) The 25 million-document figure came from a threat actor’s claim circulating online, not from the commission’s public notice. As of April 15, the Corporate Affairs Commission had confirmed an incident and containment steps, but not the scope described in those posts. (thenigerialawyer.com) The common thread across the three cases is the kind of data taken: contact details, account-linked records and transaction context that can be reused in phishing. Booking.com warned guests to be cautious of suspicious emails and calls, and the Corporate Affairs Commission told users to monitor records and change portal credentials. (bleepingcomputer.com, thenigerialawyer.com) Nigeria’s data protection regime now sits under the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Commission, which says it enforces privacy rules for personal information. That gives the Corporate Affairs Commission breach a regulatory track alongside the technical investigation already underway. (ndpc.gov.ng, placng.org) For customers and companies, the next phase is less about the initial intrusion than the follow-on scams that often use authentic-looking details. The companies have started notifications and containment; the missing piece is still the full count of records exposed in each case. (corporate.basic-fit.com, bleepingcomputer.com, thenigerialawyer.com)