Basic-Fit data breach affects members and bank details across Europe

Basic-Fit told members to watch for phishing after an unauthorized download touched personal data and, for some people, bank-related information across several European markets, including Spain. If you received an email from the company, treat it as the signal that your record was involved and keep a close eye on messages asking for login details or payment confirmation. If you did not receive an email, Basic-Fit says your data was not involved and remains secure.

The company said the intrusion was detected by internal monitoring on April 8, 2026 and stopped within minutes, though some data had already been downloaded before containment. Basic-Fit notified the relevant data protection authority and began contacting potentially affected members while it brought in outside experts to determine how the access happened and what was taken. Reuters reported that roughly 1 million members were affected overall, including about 200,000 in the Netherlands, and that the exposed information included bank account details, names, birth dates and contact information. Basic-Fit said it does not store identification documents and that no passwords were accessed.

The episode lands in the middle of a business model built on convenience and concentration. Basic-Fit operates more than 2,150 clubs and says it has about 5.8 million members across its owned clubs and franchise network, while its owned-club membership base reached 4.82 million in 2025. For a gym chain that manages entry, recurring payments, app-based account controls and visit histories in one system, a breach is not just a privacy problem. It reaches the heart of the subscription relationship.

Spain is a meaningful part of that footprint. Basic-Fit completed the acquisition of RSG Spain’s 47 clubs on March 27, 2024 and said the deal would bring its Spanish network to 187 clubs, deepening its exposure in a market where it is still expanding. That makes the company’s communication in Spain especially important. Its customer-service page says it informed “a portion of our members” about the unauthorized download, and the message is direct: members who did not receive an email were not involved and do not need to take action.

The regulatory clock is tight as well. The Spanish Data Protection Agency says breach notifications are due within 72 hours of the moment an organization becomes aware of the incident, and Basic-Fit said it informed the relevant authority. In a sector that now stores payment data, attendance patterns and account access alongside membership records, the breach is a reminder that trust has become as central to the gym business as price, location and equipment.