The breach exposed names, addresses, email addresses, phone numbers, dates of birth, and bank account details. No passwords or identity documents were accessed. The Dutch Data Protection Authority has been notified. Basic-Fit operates over 1,300 clubs across seven European countries.
Basic-Fit, Europe’s largest budget fitness chain by club count, has revealed a data breach impacting members in various countries, notably affecting around 200,000 members in the Netherlands with exposed data.
The company confirmed it had alerted the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) after detecting unauthorized access to the system it uses for logging member visits to its fitness clubs.
The exposed data includes membership information, names, home addresses, email addresses, phone numbers, dates of birth, and bank account details. Basic-Fit reassured that no identity documents, like passports or driving licenses, are stored by the company, and that no passwords were accessed in the breach.
The attack focused on the chain’s club check-in and visit-registration system, which records member access through turnstiles at each location. Basic-Fit operates in seven European countries: the Netherlands, Belgium, Luxembourg, France, Spain, Germany, and Austria.
The inclusion of bank account details in the leaked data is potentially the most significant concern for the affected members. Combined with names and dates of birth, IBAN numbers and bank details pave the way for SEPA direct debit fraud and financial impersonation.
Basic-Fit’s privacy statement confirms that the company collects bank account numbers from all members as part of the subscription process, used to process recurring membership payments.
Affected members have been advised to monitor their accounts closely and to be vigilant against phishing attempts that may use the exposed personal details to seem credible.
The breach occurs during a challenging period for data security in the Netherlands. In February 2026, telecom operator Odido, previously T-Mobile Netherlands, suffered what cybersecurity experts described as one of the largest data breaches in Dutch history, with the personal data of about 6.2 million customer accounts exposed through an attack on its customer relationship management system.
That incident included IBAN numbers, passport details, and dates of birth. The Basic-Fit breach is considerably smaller in scale but follows the same pattern of attacks targeting systems that hold aggregated customer identity and financial data in bulk.