Basic-Fit, Europe’s largest gym chain, has confirmed a data breach affecting approximately 1 million members across 6 countries after an attacker gained unauthorized access to an internal system that records member visits to its clubs. The company notified affected members directly on April 13, 2026 and filed a report with the relevant data protection authority under GDPR obligations.
What Was Taken
According to Basic-Fit’s disclosure, the compromised system contained membership visit records along with associated personal data. The stolen information includes names, home and email addresses, phone numbers, dates of birth, and bank account details. The company confirmed that passwords were not accessed and that it does not store copies of identity documents, limiting but not eliminating the risk to affected members.
Basic-Fit stated that it is not currently aware of any stolen member data appearing online, either for free or for sale, but said it continues to actively monitor the situation. The company advised affected members to remain alert to phishing attempts and to verify any suspicious communications through official channels only.
Scale and Geographic Reach
Basic-Fit operates more than 2,150 gyms across 12 countries in Europe under two brands, Basic-Fit and Clever Fit, with approximately 5.8 million registered members in total. The breach affected members in 6 countries: the Netherlands, Belgium, Luxembourg, France, Spain, and Germany. Around 200,000 of the 1 million affected members are based in the Netherlands alone.
The company described the breach as affecting a single system rather than multiple environments, and confirmed the data types and method of exposure were consistent across all 6 affected countries. Basic-Fit said unauthorized access was detected by its monitoring systems and stopped within minutes of discovery, though the attacker had already exfiltrated data before access was cut off.
Investigation Ongoing
Basic-Fit confirmed it is working with external cybersecurity specialists to determine how the attacker accessed the system, who was responsible, and the full scope of the intrusion. The company has not disclosed the attack vector or attributed the breach to any known threat actor. No ransomware group had publicly claimed responsibility at time of publication.
The exposure of bank account details alongside standard contact information raises meaningful fraud risk for affected members. While Basic-Fit has not confirmed any misuse of the stolen data, bank details in combination with names, addresses, and dates of birth provide sufficient information for social engineering attacks, phishing, and in some cases direct financial fraud attempts. April 13 was a particularly active day for European consumer data breaches — Booking.com confirmed a separate breach the same day, exposing guest reservation data including names, emails, and phone numbers across its global platform. Affected Basic-Fit members are encouraged to review their bank statements, report any suspicious activity to their financial institution promptly, and consult our guide on what to do when you receive a data breach notification.
