Cyber Incident Victim: PayAsUGym

On December 17, 2016, PayAsUGym publicly disclosed a cybersecurity incident involving unauthorized access to one of its IT servers. The breach occurred on Thursday of that week, compromising approximately 300,000 customer email addresses and passwords stored in the company's database. PayAsUGym detected the intrusion and responded by shutting down the compromised server infrastructure, subsequently migrating to new systems after consulting cybersecurity professionals. The company notified affected customers via email on Friday, confirming that while stored passwords were encrypted, users should nevertheless change their credentials as a precautionary measure. PayAsUGym emphasized that its payment systems utilized tokenization, meaning financial and credit card information remained securely stored at the payment gateway rather than on company servers, preventing exposure of sensitive payment data during the incident.

The breach resulted in the unauthorized publication of some customers' credentials online, though the exact scope of this dissemination remained unspecified. PayAsUGym reported the incident to law enforcement authorities following containment measures. Company representatives stated that cyber attacks were becoming "more frequent," justifying their existing policy of never storing financial details and maintaining password encryption protocols. No technical details regarding the attack vector, duration of unauthorized access prior to detection, or identity of threat actors were disclosed. The primary operational consequences included server migration, customer notifications, and password reset procedures, with no reported financial fraud directly linked to the breach due to the segregated payment system architecture.