Basic-Fit data breach exposes details of 1 million members across Europe

A breach at Basic-Fit exposed the kind of details that can turn a gym membership into a fraud target: bank account information, names, birth dates and contact details for about 1 million members across Europe, including roughly 200,000 in the Netherlands.

Basic-Fit said its monitoring tools detected the unauthorized access and shut it down within minutes. The company said it informed members whose data was involved, and added that it does not store identification documents and that no passwords were accessed. That sharply reduces the risk of immediate account takeover, but it leaves open a more familiar danger: phishing, impersonation and other scams built from stolen personal data.

The scale matters because Basic-Fit is far more than a local gym chain. In its 2025 annual report, the company said it operated more than 2,150 clubs across 12 countries, with 5.8 million memberships and more than 9,000 employees. Its 2025 trading update said the Clever Fit acquisition positioned the group as the market leader in Germany and the wider DACH region, underscoring how a breach in one central system could touch members in multiple markets, not just one national database.

VRT reported that up to 200,000 Belgian customers may also have been affected. Reuters said Basic-Fit notified the relevant Dutch data protection authority, a step that aligns with the expectations of the Autoriteit Persoonsgegevens, which says organizations must act immediately when a breach creates high risks and warn victims quickly. The regulator also cautions that leaked bank details can be used for fraud and phishing, while exposed contact information can help criminals make those messages look convincing.

The incident is a reminder that consumer fitness companies now hold data with real financial value. A routine membership account may seem far removed from banking or health care, but when it contains bank details and contact information tied to daily habits and locations, the privacy risk becomes intimate fast. For Basic-Fit, the question now is not only how the breach happened, but how a sprawling, 12-country business hardens its systems before the next attempt gets further than a few minutes.