The breach exposed names, addresses, email addresses, phone numbers, dates of birth, and bank account details. No passwords or identity documents were accessed. The Dutch Data Protection Authority has been notified. Basic-Fit operates over 1,300 clubs across seven European countries.
Basic-Fit, Europe’s largest budget fitness chain by number of clubs, has disclosed a data breach impacting members across multiple countries, with approximately 200,000 individuals affected in the Netherlands alone. The company confirmed that it detected unauthorised access to its systems and has since notified the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
The breach specifically targeted the company’s club check-in and visit-registration system, which records member access through turnstiles at its fitness locations. Basic-Fit operates across seven European countries, including the Netherlands, Belgium, Luxembourg, France, Spain, Germany, and Austria, raising concerns about the broader scope of the incident beyond the Netherlands.
According to Basic-Fit, the compromised data includes sensitive member information such as names, home addresses, email addresses, phone numbers, dates of birth, membership details, and bank account information. The company clarified that no identity documents, such as passports or driving licences, are stored in its systems, and no passwords were exposed in the attack.
However, the exposure of bank account details – particularly IBAN numbers – poses a significant risk for affected members. When combined with personal identifiers like names and dates of birth, this data could be exploited for financial fraud, including unauthorized SEPA direct debit transactions and identity impersonation.
Basic-Fit stated that bank account information is collected as part of its standard subscription process to facilitate recurring membership payments. As a result, the compromised system contained aggregated financial and personal data, making it an attractive target for cybercriminals.
The company has urged affected members to remain vigilant by closely monitoring their bank accounts and being cautious of phishing attempts. Attackers may leverage the stolen data to craft highly convincing fraudulent communications aimed at extracting further sensitive information or initiating unauthorized transactions.
The incident comes amid heightened concerns around data security in the Netherlands. Earlier in February 2026, telecom provider Odido, formerly known as T-Mobile Netherlands, experienced a major breach that exposed personal data from approximately 6.2 million customer accounts. That attack involved sensitive information such as IBAN numbers, passport details, and dates of birth.
While the Basic-Fit breach is smaller in scale, it follows a similar pattern of cyberattacks targeting centralized systems that store large volumes of customer identity and financial data. These incidents highlight the growing risks associated with digital platforms that manage sensitive user information and the increasing focus of threat actors on exploiting such systems.
Basic-Fit has not disclosed further technical details about the breach but continues to investigate the incident and assess its full impact. The company’s response underscores the need for stronger safeguards around systems that handle both personal and financial data, particularly in industries with large, distributed customer bases.
Recommended Cyber Technology News :
- Booking.com Warns of Cyberattack and Data Breach Risk
- OpenText Expands AI Data Solutions to AWS European Sovereign Cloud
- Check Point Introduces Perth Data Residency Instance for Workplace Security SASE
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
