Basic-Fit: Basic-Fit hit by hack affecting members across multiple countries, including 200,000 in the Netherlands

Basic-Fit Data Breach Exposes Personal and Financial Data of 200,000 Dutch Members

Europe’s largest budget fitness chain, Basic-Fit, has reported a data breach affecting approximately 200,000 members in the Netherlands, with potential exposure across its 1,300+ clubs in seven European countries, including Belgium, Luxembourg, France, Spain, Germany, and Austria. The incident, disclosed to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), involved unauthorized access to the company’s club check-in and visit-registration system, which logs member entries via turnstiles.

The exposed data includes names, home addresses, email addresses, phone numbers, dates of birth, and bank account details, though passwords and identity documents (such as passports or driving licenses) were not accessed. Basic-Fit confirmed that IBAN numbers used for recurring membership payments were among the compromised financial details, raising concerns over SEPA direct debit fraud and financial impersonation.

The breach follows a pattern of recent cyberattacks in the Netherlands, including a February 2026 incident at telecom operator Odido (formerly T-Mobile Netherlands), which exposed 6.2 million customer records, including passport details and IBAN numbers. While smaller in scale, the Basic-Fit breach underscores ongoing risks to systems storing bulk customer identity and financial data.

Affected members have been advised to monitor their accounts for suspicious activity and remain vigilant against phishing attempts leveraging the exposed personal information.

Source: https://thenextweb.com/news/basic-fit-hit-by-hack-affecting-members-across-multiple-countries-including-200000-in-the-netherlands

Basic-Fit cybersecurity rating report: https://www.rankiteo.com/company/basic-fit

"id": "BAS1776068889",
"linkid": "basic-fit",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '200,000 members in the '
                                              'Netherlands',
                        'industry': 'Fitness/Health',
                        'location': 'Netherlands (with potential exposure in '
                                    'Belgium, Luxembourg, France, Spain, '
                                    'Germany, and Austria)',
                        'name': 'Basic-Fit',
                        'size': 'Large (1,300+ clubs across Europe)',
                        'type': 'Corporation'}],
 'attack_vector': 'Unauthorized Access',
 'customer_advisories': 'Affected members advised to monitor their accounts '
                        'for suspicious activity and remain vigilant against '
                        'phishing attempts',
 'data_breach': {'number_of_records_exposed': '200,000',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (personal and financial data)',
                 'type_of_data_compromised': ['Names',
                                              'Home addresses',
                                              'Email addresses',
                                              'Phone numbers',
                                              'Dates of birth',
                                              'Bank account details (IBAN '
                                              'numbers)']},
 'description': 'Europe’s largest budget fitness chain, Basic-Fit, has '
                'reported a data breach affecting approximately 200,000 '
                'members in the Netherlands, with potential exposure across '
                'its 1,300+ clubs in seven European countries. The incident '
                'involved unauthorized access to the company’s club check-in '
                'and visit-registration system, exposing personal and '
                'financial data.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'exposure of sensitive customer data',
            'data_compromised': 'Personal and financial data, including names, '
                                'home addresses, email addresses, phone '
                                'numbers, dates of birth, and bank account '
                                'details (IBAN numbers)',
            'identity_theft_risk': 'High risk of SEPA direct debit fraud and '
                                   'financial impersonation',
            'payment_information_risk': 'IBAN numbers exposed, increasing risk '
                                        'of financial fraud',
            'systems_affected': 'Club check-in and visit-registration system'},
 'references': [{'source': 'Cyber Incident Description'}],
 'regulatory_compliance': {'regulatory_notifications': 'Disclosed to the Dutch '
                                                       'Data Protection '
                                                       'Authority (Autoriteit '
                                                       'Persoonsgegevens)'},
 'response': {'communication_strategy': 'Affected members advised to monitor '
                                        'accounts for suspicious activity and '
                                        'remain vigilant against phishing '
                                        'attempts'},
 'title': 'Basic-Fit Data Breach Exposes Personal and Financial Data of '
          '200,000 Dutch Members',
 'type': 'Data Breach'}