Europe's Largest Gym Chain Basic-Fit Discloses Data Breach Affecting One Million Members Across Six Countries
Hackers accessed names, addresses, bank details, and dates of birth of roughly one million Basic-Fit members before monitoring systems cut off the intrusion.
Overview
Basic-Fit, the largest gym chain in Europe, disclosed on April 13 that hackers breached its systems and accessed personal data belonging to approximately one million members across six countries, according to BleepingComputer. The Dutch fitness giant said the unauthorized access was detected by automated monitoring and stopped within minutes, but not before the attackers had downloaded a significant volume of member data.
What We Know
The breach targeted the system Basic-Fit uses to record member visits at its fitness clubs, not the company’s broader infrastructure, as The Register reported. Exposed data includes full names, home addresses, email addresses, phone numbers, dates of birth, bank account details, and membership information such as subscription type and recently visited locations.
Passwords and copies of identification documents were not compromised in the incident, according to BleepingComputer.
The affected members are spread across the Netherlands, Belgium, Luxembourg, France, Spain, and Germany. Roughly 200,000 of those impacted are located in the Netherlands, TechRadar reported. Franchise operations in six additional countries use separate systems and were not affected.
Basic-Fit operates more than 2,150 budget gyms across 12 European countries and has approximately 5.8 million registered members in total, according to The Register. The breach therefore affected roughly 17 percent of the company’s entire customer base.
The company said it notified the relevant data protection authorities in each affected country and contacted impacted members directly by email, as reported by BleepingComputer. Basic-Fit warned members to be vigilant for phishing attempts that could leverage the stolen personal information.
What We Don’t Know
Basic-Fit has not disclosed how the attackers gained access to the visit-registration system. The company told The Register that determining how the system was accessed, who was responsible, and the full method of attack is “now part of the investigation that we are conducting with external specialists.”
No threat actor has publicly claimed responsibility for the breach. As of the disclosure date, Basic-Fit said there were no indications that the stolen data had been leaked online or misused, though the company stated it continues to monitor the situation closely.
It also remains unclear precisely how long the attackers had access before detection systems intervened, or what specific volume of data was exfiltrated during that window.
Analysis
The inclusion of bank account details alongside other personal identifiers makes this breach particularly sensitive. While the absence of passwords and identity documents limits the immediate risk of account takeover, the combination of names, addresses, dates of birth, and banking information provides a rich dataset for targeted phishing campaigns and social engineering attacks.
The breach underscores the risks that consumer-facing companies with large membership databases face even when core IT infrastructure remains uncompromised. In this case, a visit-registration system — a peripheral function compared to payment processing or authentication — served as the point of entry.
Under the EU’s General Data Protection Regulation, companies must notify supervisory authorities within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. Basic-Fit appears to have met this requirement by disclosing the incident and contacting authorities promptly. However, the exposure of bank account details across six EU jurisdictions may trigger parallel investigations by multiple national data protection regulators.