Basic-Fit is one of those names that are repeated over and over again when we visit different European cities. Their gyms are everywhere and their backpacks have become almost a recognizable element in the urban landscape. Precisely for this reason, what has just come to light is not a minor incident: the largest gym chain in Europe has suffered a security breach which has exposed information of around a million clients.
The question is inevitable: what exactly happened? According to a statement sent to Xatakathe attackers managed to breach the system responsible for recording members’ visits to the gyms. We are not facing just any system, but rather one of the pieces that are part of the daily lives of millions of users. The company maintains that the intrusion was detected automatically by its monitoring systems and that it was blocked within a few minutes.
The geographical scope of the incident is clear: six of the 12 countries where the company operates have been affected by the intrusion. We are talking about Spain, France, Belgium, Luxembourg, Germany and the Netherlands. In the case of the latter, the number of affected is around 200,000 customers, and there are no details on the rest of the territories.
If you’re wondering why only half of the countries have been affected, Reuters has the answer: the rest operate under a franchise model with different computer systems. It is a key point to understand why the scope could be more limited than it initially appears, although it is still significant.
The company has launched an investigation with external cybersecurity experts. Thanks to this, we are beginning to outline what type of information may have been compromised. According to the statement, the exposed data includes:
- Membership Information
- Name and address
- Email address
- Phone number
- Birthdate
- Bank details (partial leak; only some users’ IBANs were exposed)
Basic-Fit insists that no identification numbers or passwords have been leaked, nor has it detected that the data is circulating publicly. When he talks about the latter, everything indicates that he is referring to environments such as dark webwhere this type of information usually ends up for sale and where personal data becomes a more commoditys. Just because there is no trace now does not necessarily mean that it cannot appear later.
The risk, in any case, is real. With access to this type of data, a malicious actor can launch phishing much more credible or even more precisely targeted attacks. Therefore, beyond the specific scope of the breach, the recommendation is clear: it is advisable to exercise extreme caution with any email or communication we receive in the coming days, and always verify that they come from legitimate sources.
Basic-Fit, being a listed company and operating under European rules, has notified the data protection authorities about the incident. At the same time, is notifying customers who have been affected.
In Xataka | How often should we change ALL our passwords according to three cybersecurity experts
GIPHY App Key not set. Please check settings