Basic-Fit Confirms Data Breach Exposing Financial Details of One Million Members

Europe’s largest fitness chain has disclosed a major security incident affecting approximately one million members across multiple countries, including a significant leak of IBAN and bank information.

HOOFDDORP, Netherlands — Basic-Fit has officially confirmed a large-scale data breach that has compromised the personal and financial information of nearly one million gym members. In a statement released on April 13, 2026, the fitness giant revealed that an unauthorized third party gained access to a customer database, impacting users across the Netherlands, Luxembourg, Belgium, and France.

While initial reports centered on 200,000 affected members in the Netherlands, subsequent investigations by Reuters and The Register have escalated that figure to approximately one million individuals globally.

The Scope of the Exposure

Unlike many recent breaches that focused primarily on marketing data, the Basic-Fit incident involves highly sensitive financial identifiers. According to the company's disclosure and reports from RTL Luxembourg, the exfiltrated data includes:

• Identity Data: Full names, home addresses, and dates of birth.
• Contact Information: Email addresses and phone numbers.
• Financial Details: International Bank Account Numbers (IBAN) and direct debit instructions.

Basic-Fit has clarified that while IBAN details were exposed, login credentials (passwords) and full credit card details were not part of the compromised dataset. However, the exposure of IBANs and home addresses provides threat actors with sufficient information to conduct sophisticated mandate fraud and targeted phishing campaigns.

Connection to the Booking.com Incident

The timing of the disclosure has drawn immediate attention from security researchers. As noted by the Belga News Agency, both Basic-Fit and the recent Booking.com breach occurred within the same 48-hour window.

While a direct technical link between the two has not been confirmed, investigators are looking into whether both companies shared a common third-party service provider or if a similar "info-stealer" malware campaign targeted administrative portals across the European retail and service sectors.

Corporate Response and Remediation

Basic-Fit has notified the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and is in the process of contacting affected members via email. The company has since "plugged the leak" and hardened its database access protocols.

"We deeply regret this incident and have taken immediate action to secure our systems," a company spokesperson said. "We are advising members to monitor their bank statements closely for any unauthorized direct debit activity."

The CyberSignal Analysis

Signal 01 — The Resurgence of IBAN Harvesting

This breach marks a shift back toward harvesting bank account details over simple credit card numbers. In the EU, an IBAN combined with a name and address is often enough to initiate fraudulent direct debit mandates. For organizations, this underscores the risk of storing legacy financial data in active databases. If the data isn't needed for active billing, it should be properly archived or tokenized.

Signal 02 — The European "Cluster" Attack

The simultaneous nature of the Basic-Fit and Booking.com breaches suggests a coordinated campaign targeting European consumer platforms. Security teams should be on high alert for Account Takeover (ATO) attempts originating from compromised partner credentials. If your organization operates in the Benelux region, now is the time to enforce mandatory MFA across all administrative and partner portals.

Sources