Basic-Fit says unauthorized access to a visit-registration system exposed member data across Europe, including bank details for some customers, affecting approximately one million members.
The Breach
Attackers gained access to Basic-Fit's visit registration system, which tracks gym attendance. The compromised data included personal information and, for some members, banking details used for membership payments.
The Impact
With approximately one million members affected across multiple European countries, Basic-Fit faced significant notification requirements under GDPR. The breach highlighted risks in ancillary systems not directly part of core operations.
Key Lessons
- Ancillary systems can contain sensitive data requiring equal protection
- Third-party visit tracking systems expand attack surface
- Cross-border breaches trigger complex regulatory obligations
- Payment data in non-core systems requires encryption and monitoring