Basic-Fit Data Breach Exposes Millions of Users Across Multiple

Europe’s largest budget fitness chain by club count, Basic-Fit, has confirmed a significant data breach impacting approximately 1 million members across multiple countries. Unauthorized access to its membership systems affected around 200,000 members in the Netherlands alone.

Basic-Fit, which operates over 2,150 gyms across 12 European countries and serves more than 4.5 million members, detected the intrusion through its internal system monitoring tools.

According to the company, the unauthorized access was stopped within minutes of detection, but not before threat actors had already downloaded a significant volume of member data.

The breach specifically targeted the system Basic-Fit uses to register member visits at its fitness clubs, not its broader infrastructure.

Basic-Fit’s franchise operations across six additional countries rely on a separate, independent system and have been confirmed as unaffected by the incident.

Basic-Fit Data Breach

The compromised data encompasses a wide range of sensitive personal information. Affected members had the following data exposed:

• Full names and home addresses
• Email addresses and phone numbers
• Dates of birth
• Bank account details
• Membership information, including subscription type, subscription number, payment status, and recently visited gym locations

Basic-Fit confirmed that no identity documents, such as passports or driving licenses, are stored within the affected system, and that no passwords were accessed during the breach. The company has also stated that, as of now, there are no indications that the leaked data has been misused, Reuters reported.

In compliance with GDPR obligations, Basic-Fit has formally notified the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) of the breach.

The company operates its headquarters in Hoofddorp, Netherlands, making the Dutch regulator its lead supervisory authority under EU data protection law. All affected members have reportedly been directly informed about the incident.

This breach follows a wave of major data incidents in the Netherlands in 2026, including telecom firm Odido’s exposure of 6.2 million customers’ records, including IBAN numbers and identity documents.

Exposing bank account details alongside full contact information significantly increases the risk of phishing, social engineering, and financial fraud targeting affected individuals.

Cybersecurity experts recommend that impacted Basic-Fit members remain vigilant for suspicious emails or calls requesting further personal or financial information, monitor bank statements closely for anomalies, and exercise heightened caution with unsolicited communications referencing their gym membership.

Basic-Fit has not disclosed the identities of the threat actors responsible for the intrusion, and investigations remain ongoing.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.