The bank account details and personal information of nearly 1 million Basic-Fit members across six countries have been exposed after hackers breached one of Europe’s largest fitness chains.

The “value-for-money” fitness franchise put out a press release on Monday, also informing its members by email that hackers had gained “unauthorized data access to the system that records members' visits to Basic-Fit clubs.”

“An investigation conducted by external security experts has shown that some of the data stored in the system was downloaded,” the company said.

Apparently, the company said its “system monitoring processes” detected the intrusion immediately and, within minutes, were able to resecure the system.

Headquartered in Hoofddorp, Netherlands, Basic-Fit operates over 2,150 clubs in twelve countries via two brands, Basic-Fit and Clever Fit, and has more than 5.8 million memberships, according to the “value-for-money” fitness franchise.

That means the sensitive information of roughly one-fifth of all franchise members has been compromised in the attack.

Bank details of 1 million exposed

Basic-Fit revealed that 200,000 active members in the Netherlands had their data stolen.

A company spokesperson told The Register on Monday – after facing pressure from the media outlet – that members from five other EU nations were also directly impacted – Belgium, France, Germany, Luxembourg, and Spain.

Basic-Fit says the at-risk data involves membership information, including

• name and address details
• email addresses
• phone numbers
• dates of birth
• bank account details

It's unclear what those bank details are, but presumably the account numbers used to charge membership fees were involved.

The gym giant says its systems do not store members' identification documents, such as driver's licenses and government ID cards, and that no passwords were accessed.

Basic-Fit also said that there has been no sign of the stolen data being misused, but it's likely too early to tell, as hacker groups often hold onto that data to craft future targeted phishing attacks and identity theft schemes, or attempt to sell the data to other cybercriminals on the dark web.

“Together with external specialists, Basic-Fit continues to monitor the issue closely,” it said, not disclosing what date the breach took place, or whether it was related to ransomware.

Hackers hit system tracking gym visits

The company told the news outlet that all victims were hit the same way – through “one system containing data on members' visits to clubs,” adding that the system involved is not a specifically Dutch or French, but one system used throughout the entire franchise.

“For all, it concerned the same data. How they could access the system, who did it, and how is now part of the investigation that we are conduct[ing] with external specialists," Basic-Fit said.

Basic-Fit says all affected members have been notified, as well as relevant data protection authorities.

The company warned members in the disclosure to be on the lookout for any phishing attempts and to contact the corporate offices to verify any suspicious communications, the Register said.

The Basic-Fit brand is the brainchild of two former Dutch tennis players, René Moos and Eric Wilborts, who merged their fitness centers in 2013 to form a new modern gym concept. It is considered the largest fitness operator and franchisor in Europe.

It's not the first cyber incident to affect a major gym brand.

In September 2025, Hello Gym – a US-based fitness industry communications and management platform used by nearly 20,000 gyms in North America – was found leaking a massive dataset of gym members' personal data, including more than 1.6 million audio calls and voicemails.

In 2024, the UK’s Total Fitness health club chain was also found leaking hundreds of thousands of members’ personal images – including photos of children – along with other private data from a non-password-protected membership database.

---

Unlock more exclusive Cybernews content on YouTube.