Basic-Fit Confirms Cyberattack Affecting Members in Six Countries
Netherlands-based gym chain Basic-Fit has disclosed that unknown hackers successfully breached its systems and exfiltrated personal data belonging to members spread across multiple European countries. The company issued a statement on Monday confirming the incident, which is reported to have compromised records of approximately 1 million members.
The affected countries include Belgium, the Netherlands, Luxembourg, France, Spain, and Germany, according to Dutch media reports. Of the total number of compromised accounts, around 200,000 customers are based in the Netherlands.
What Data Was Stolen
Basic-Fit said the breach involved a broad range of sensitive personal information. The categories of data accessed include:
- Full names and home addresses
- Phone numbers and email addresses
- Dates of birth
- Bank account details
- Membership data, including subscription numbers, subscription types, and recent gym visit records
The company was careful to note that passwords and identity documents were not accessed during the intrusion, offering some reassurance to affected members.
Intrusion Detected Quickly, But Not Before Data Was Downloaded
According to Basic-Fit, its security systems detected and halted the unauthorized access within minutes of the intrusion beginning. However, the attackers had already managed to download a portion of member data before the breach was contained.
The company stated that its investigation so far has not identified the stolen data being made available publicly or misused in any known way. "The investigation so far has not shown the data being available anywhere or having been misused," the company's statement read.
Dutch media reports indicate the attackers targeted a central system used to store member data from several countries simultaneously, which explains the multi-national scope of the exposure.
Regulatory Notification and Ongoing Investigation
Following discovery of the breach, Basic-Fit reported the incident to the Dutch Data Protection Authority and initiated a formal investigation to determine how the attackers gained access and to identify those responsible.
The company has also begun notifying affected members directly via email, urging them to remain vigilant against potential phishing attempts that could exploit the leaked data. The notification emails read: "With this message, we inform you about an unauthorized download of Basic-Fit data." Despite the warning, Basic-Fit indicated that no further action is currently required from members.
Multiple users across Spain, France, and the Netherlands confirmed on social media that they had received the breach notification emails from the gym chain.
About Basic-Fit
Basic-Fit is among the largest gym operators on the European continent, running more than 2,150 gyms across 12 countries and serving a membership base of roughly 5 million people. The scale of the company's operations underscores the significance of the breach, which touched members in six of those countries.
What Members Should Watch For
Although no evidence of misuse has surfaced at this stage, the types of data exposed — including bank details and contact information — could be leveraged in targeted phishing campaigns or social engineering attacks. Security experts generally advise individuals whose data has been compromised to:
- Be cautious of unsolicited emails or messages purportedly from Basic-Fit or affiliated organizations
- Monitor bank statements for any unusual or unauthorized transactions
- Avoid clicking links in unexpected emails, even those that appear legitimate
- Consider updating passwords on any accounts that share credentials with their Basic-Fit login
The breach adds to a growing list of cyberattacks targeting consumer-facing membership platforms across Europe, where centralized customer databases containing financial and personal data continue to be attractive targets for malicious actors.
Source: The Record