Basic-Fit Confirms Unauthorized Access to Member Records
Basic-Fit, the Netherlands-based fitness company that operates the largest gym chain in Europe, has publicly disclosed a cyberattack that resulted in the theft of personal data belonging to roughly 1 million members. The company operates more than 1,700 clubs and over 430 franchises across 12 countries, including the Netherlands, Belgium, France, Spain, and Germany.
The breach notification was published on the company's official website on April 13, 2026. In it, Basic-Fit confirmed that it had alerted the relevant data protection authority regarding unauthorized access to the system used to log member club visits.
"The unauthorized access was detected by our system monitoring processes and was stopped within minutes of discovery."
Despite the rapid containment, an investigation carried out with the assistance of external cybersecurity experts concluded that data had already been exfiltrated before the intrusion was halted.
What Data Was Stolen?
The investigation identified the following categories of member information as having been accessed and taken by the attacker:
- Full name
- Physical address
- Email address
- Phone number
- Date of birth
- Bank account details
- Other membership-related information
Basic-Fit was clear in its disclosure that no identification documents or account passwords were accessed during the breach. The company also specified that customer data held at franchise locations was not affected, as that information is stored on a separate, independent system.
Scale of the Incident: 1 Million Members Across Six Countries
The official public notification stated that 200,000 individuals in the Netherlands were affected. However, a company spokesperson confirmed to BleepingComputer that the true total across all impacted regions is approximately 1 million members, spanning the Netherlands, Belgium, Luxembourg, France, Spain, and Germany.
To put the breach in context, Basic-Fit's gym network serves around five million members across Europe, meaning the incident affected roughly one in five of its total customer base.
Impacted members have been notified directly by the company, in line with its obligations under European data protection regulations.
Data Retention Practices and Member Rights
Basic-Fit outlined several key points about how it manages member data in accordance with European Union data retention laws:
- All personal data and membership records are automatically deleted after two years, as required by law.
- Members can access their data through the My Basic-Fit app for up to one year after their membership ends.
- Data stored within the app is automatically removed two months after the app is uninstalled from a device.
- Information is also deleted upon formal membership termination.
These retention and deletion policies are intended to limit the volume of data held at any given time, which may mitigate the long-term exposure risk for former members.
No Evidence of Leaked Data — Monitoring Continues
As of the time of disclosure, Basic-Fit stated that its ongoing investigation has not found evidence that the stolen data has been published or leaked online. Nevertheless, the company stressed that it is continuing to monitor the situation with the support of its external security partners.
The incident highlights the persistent risk faced by consumer-facing businesses that store large volumes of financial and personally identifiable information. Bank account details in particular can be leveraged by malicious actors for fraud or phishing attacks, even in the absence of passwords or government-issued ID numbers.
Basic-Fit has urged affected members to remain vigilant against unsolicited communications and to report any suspicious activity linked to their membership information.
Source: BleepingComputer