Basic‑Fit Confirms Breach

Basic-Fit said hackers stole data from about 200,000 members in the Netherlands after breaking into a system that logs gym visits. (theregister.com) The company told affected members on Monday, April 13, that the downloaded data included membership information, names, addresses, email addresses, phone numbers, dates of birth and bank account details. Basic-Fit said passwords and identity documents were not exposed. (nltimes.nl) Basic-Fit said its monitoring systems detected the unauthorized access and stopped it within minutes, but an internal investigation with outside security experts found that member data had already been downloaded. The company said it notified the Dutch Data Protection Authority and contacted members whose data was involved. (bleepingcomputer.com) The breach was not limited to the Netherlands. Reports citing the company said about 1 million members were affected across six countries where Basic-Fit operates, including Belgium, France, Spain, Luxembourg and Germany. (theregister.com) Basic-Fit is one of Europe’s biggest gym operators, with more than 5.8 million memberships and more than 2,150 clubs under the Basic-Fit and Clever Fit brands. A breach at that scale turns routine account data into a cross-border regulatory and customer-notification problem. (cybernews.com) The company said the compromised system records members’ visits to clubs, which means the incident hit a core operational database rather than a marketing list or a local gym’s spreadsheet. Basic-Fit also said franchise customer data was stored separately and was not exposed. (bleepingcomputer.com) Dutch outlets said the case is now with the Autoriteit Persoonsgegevens, the Netherlands’ privacy watchdog, after Basic-Fit filed its notification. Under European Union privacy rules, companies must report serious personal-data breaches to regulators and inform affected people when the risk is high. (security.nl) For members, the immediate risk is not gym access but fraud built from real personal details. Dutch and security reports said exposed names, dates of birth and bank details can be used in phishing messages that look convincing because they match a real membership account. (cyberwarzone.com) Basic-Fit said it had no concrete indication, as of its first notices, that the stolen information had already been misused. The company’s next steps are the same ones it started on Monday: investigate the intrusion, answer to regulators and keep affected members updated. (crime-nieuws.nl)