Basic-Fit: 1 million customers affected, banking details exposed after a cyberattack
In April 2026, gym chain Basic-Fit disclosed that attackers breached its member check-in system, exposing the personal and banking details of roughly 1 million members across France, Belgium, Germany, Spain, Luxembourg and the Netherlands.
- Victim
- Basic-Fit
- records
- 1.0M
On 13 April 2026, Basic-Fit — Europe's largest low-cost gym chain, headquartered in the Netherlands — disclosed a cyberattack that exposed the personal and financial data of approximately 1 million members. The intrusion involved unauthorized access to the internal system that records members' check-ins at Basic-Fit clubs.
The breach affected members across six countries where the chain operates: France, Belgium, Germany, Spain, Luxembourg and the Netherlands. According to the company, attackers were able to download a combination of identity, contact and banking information from the compromised system.
The exposed data included:
- Subscription/membership information
- Full names and postal addresses
- Email addresses and phone numbers
- Dates of birth
- Banking details (IBAN)
Basic-Fit stated that no passwords were compromised and that it does not retain copies of identity documents. The company notified affected members and warned them of an elevated risk of fraud and identity theft, since the combination of an IBAN with a name and address can be used to set up fraudulent SEPA direct-debit mandates. Authorities were notified of the incident and access to the affected system was cut off.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/basic-fit-1-million-de-clients-touches-des-coordonnees-bancaires-exposees-apres-une-cyberattaque/
- cnews.frhttps://www.cnews.fr/france/2026-04-14/basic-fit-pirate-1-million-de-membres-touches-quelles-sont-les-informations-qui
- 24matins.frhttps://www.24matins.fr/une-cyberattaque-expose-les-donnees-bancaires-dun-million-de-clients-de-basic-fit-1405958