🗄️ Assets

Basic-Fit Breach Exposes Personal and Bank Data of One Million European Gym Members

Dutch fitness chain Basic-Fit has disclosed a data breach affecting approximately one million members across six European countries, with bank account details among the compromised data. The breach targeted the company's visit-tracking system, exposing names, contact details, dates of birth, and banking information. GDPR notifications have been filed.

4 min read
#breach#basic-fit#gdpr#europe#personal-data#banking-data#netherlands#data-classification

Basic-Fit, Europe’s largest gym chain with more than 1,400 locations across the Netherlands, Belgium, Luxembourg, France, Spain, and Germany, has disclosed a data breach affecting approximately one million of its members. The breach is notable not only for its scale but for the inclusion of bank account details — a higher-sensitivity data category than the contact details typically exposed in consumer service breaches.

What Was Exposed

The compromised system was Basic-Fit’s member visit-tracking database — the system that records gym check-ins and membership activity. Data accessed includes:

  • Full names
  • Email addresses
  • Home addresses
  • Phone numbers
  • Dates of birth
  • Bank account details (used for direct debit membership billing)

Basic-Fit confirmed that passwords were not compromised and that the company does not store copies of identity documents. Franchise locations were not affected, as their data is held on a separate system.

Approximately 200,000 of the affected members are in the Netherlands; the remainder are distributed across Belgium, Luxembourg, France, Spain, and Germany.

Data Classification Implications

The inclusion of bank account numbers (IBANs and associated details used for direct debit mandates) elevates this breach beyond a standard contact data exposure. Bank account details paired with full names, addresses, and dates of birth constitute a sufficiently complete identity profile for direct debit fraud — initiating unauthorised SEPA direct debit transactions against the victim’s account — as well as identity verification bypass in financial services.

This is precisely the data profile that social engineering attackers use to impersonate the victim when calling banks to request account changes or to pass knowledge-based authentication checks.

Detection and Response

Basic-Fit stated that the unauthorised access was detected by system monitoring processes and stopped within minutes of discovery. The company has notified the relevant data protection authorities, as required under GDPR Article 33 (72-hour notification obligation), and has begun notifying affected members individually.

The company has not publicly disclosed the attack vector, the duration of the exposure window before detection, or whether any data has appeared for sale in criminal marketplaces.

GDPR Consequences

The breach affects residents across six EU member states, each with national data protection authorities that must be notified. Under GDPR Article 83(4), failure to properly notify can result in fines of up to €10 million or 2% of global annual turnover — and if the Dutch DPA determines that Basic-Fit failed to implement appropriate technical and organisational security measures for the protection of financial data, the penalty tier increases to Article 83(5): up to €20 million or 4% of global turnover.

The combination of banking data and personal identifiers will be a particular focus for regulators, given that higher-risk data categories attract heightened scrutiny under GDPR’s data minimisation and purpose limitation principles.

  1. Alert employees and any affected individuals to be vigilant for bank impersonation calls, unexpected direct debit disputes, or requests to “verify” banking details via unsolicited contact.
  2. Review direct debit authorisation controls in your organisation’s finance systems — ensure that any mandate modifications require out-of-band verification and cannot be changed via a simple phone call with knowledge-based authentication.
  3. Security teams in consumer-facing businesses with European operations should use this incident as a case study when reviewing their own data minimisation practices: is all banking data retained by default, or only what is operationally necessary?
  4. Audit your GDPR data inventory for financial data categories. Basic-Fit’s exposure highlights how visit-tracking and billing systems can silently accumulate higher-risk data alongside operational data.
  5. Monitor affected individuals’ accounts for unusual direct debit activity if you have managed the response to this breach on behalf of your organisation’s employees.