European budget fitness giant Basic-Fit has confirmed a significant data breach affecting approximately 1 million members across multiple European countries, with around 200,000 victims in the Netherlands alone, making it one of the most impactful consumer data incidents in the region this year.
Basic-Fit operates over 2,150 gyms across six European countries under its direct model, serving over 4.5 million members. Franchise operations across six additional countries, which run on a separate technical infrastructure, were not affected by the intrusion.
According to Basic-Fit’s official statement, the intrusion was detected by the company’s system monitoring processes and halted within minutes of discovery.
However, the rapid containment was insufficient to prevent data exfiltration, as attackers had already downloaded a significant volume of member records before access was revoked.
Basic-Fit Data Breach Exposed
The breach targeted the system Basic-Fit uses to register member visits to its fitness clubs, resulting in the unauthorized exfiltration of highly sensitive personal and financial records. Exposed data includes:
- Full names, home addresses, email addresses, and phone numbers
- Dates of birth and bank account details (IBANs)
- Membership information, including subscription type, subscription number, payment status, and which gyms a member visited during the last week
The company confirmed that no identity documents, such as passports or driving licenses, are stored on its systems, and that no passwords were compromised.
Security experts warn that combining IBANs with personal identifiers creates direct conditions for SEPA direct debit fraud, enabling criminal actors to impersonate Basic-Fit and initiate unauthorized payment requests against victims’ bank accounts.
Additionally, the volume of exposed contextual data is sufficient to enable highly targeted spear-phishing campaigns, allowing attackers to craft convincing communications that reference authentic membership details.
The company has notified the Dutch Data Protection Authority in compliance with GDPR obligations, which mandate breach disclosures within 72 hours of confirmed detection.
Affected members have been individually contacted and advised to closely monitor their bank statements and remain alert to unsolicited calls, messages, or emails referencing their membership.
The incident arrives amid a broader wave of data breaches targeting Dutch consumer infrastructure, Reuters stated in a technical report.
This incident follows a broader wave of major data breaches hitting Dutch companies in 2026. Telecom firm Odido recently exposed records of 6.2 million customers, including IBANs and identity documents.
The clustering of high-profile incidents signals that organizations holding large consumer financial datasets in the Netherlands remain under active targeting pressure.
Cybersecurity analysts say the pattern reflects a sustained focus by threat actors on large European service providers that hold aggregated financial and identity data at scale.
No Comment! Be the first one.