Cyber Incident Victim: Basic-Fit
Date:
Apr 2026
Location:
Netherlands
Summary
Basic-Fit, Europe’s largest gym chain, disclosed a data breach affecting the personal information of about one million members after detecting unauthorized access to its systems that was blocked within minutes. The company said an investigation showed that names, email addresses, physical addresses, phone numbers, dates of birth and bank account details had been downloaded, although it does not store identification documents and no passwords were accessed. Roughly two hundred thousand of the affected members are from the Netherlands, with the remainder located in Spain, Germany, France, Belgium and Luxembourg. The company added that no known ransomware group has claimed responsibility and there is no evidence the data has been leaked or misused.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Basic‑Fit, Europe’s largest gym and fitness chain, announced that it had detected unauthorized access to its systems. The intrusion was identified and blocked within minutes of detection. Following the block, an investigation was launched to determine what data had been accessed. The investigation revealed that personal information belonging to active members in several European countries had been downloaded by the attacker. The compromised data included names, email addresses, physical addresses, phone numbers, dates of birth, and bank account details. Basic‑Fit emphasized that it does not store identification documents for members and that no passwords were accessed in the incident.
The company operates over 1,500 clubs across Europe and serves more than five million members in total. In its press release, Basic‑Fit stated that roughly two hundred thousand members from the Netherlands were affected by the breach. However, in subsequent communications with SecurityWeek, the firm clarified that the total number of impacted members is approximately one million. This larger figure includes members from Spain, Germany, France, Belgium, and Luxembourg in addition to the Dutch contingent. Basic‑Fit said that it is not aware of any leakage or misuse of the compromised data. The identity of the attacker remains unknown, and no ransomware group has claimed responsibility for the incident.
Basic‑Fit issued a public press release in which it disclosed the breach and noted that the intrusion had been blocked within minutes. The press release also stated that an investigation had revealed that member data had been downloaded by the attacker. The company later informed SecurityWeek that the total number of affected members is approximately one million. Basic‑Fit said that it is not aware of any leakage or misuse of the compromised data. The identity of the attacker remains unknown, and no ransomware group has claimed responsibility for the incident. Basic‑Fit operates over 1,500 clubs across Europe and has more than five million members in total.