Basic-Fit Hit by Hack Affecting Members Across Multiple Countries, Including 200,000 in the Netherlands
April 13, 2026 – 8:07 am
The breach exposed names, addresses, email addresses, phone numbers, dates of birth, and bank account details. No passwords or identity documents were accessed. The Dutch Data Protection Authority has been notified. Basic-Fit operates over 1,300 clubs across seven European countries.
Basic-Fit
Europe’s largest budget fitness chain by club count, has disclosed a data breach affecting members across multiple countries, with approximately 200,000 members in the Netherlands alone whose data was exposed. The company confirmed it had notified the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) after detecting unauthorized access to the system it uses to register member visits to its fitness clubs.
The data exposed includes membership information, names, home addresses, email addresses, phone numbers, dates of birth, and bank account details. Basic-Fit confirmed that no identity documents, such as passports or driving licenses, are stored by the company, and that no passwords were accessed in the breach.
TNW City Coworking space – Where your best work happens
A workspace designed for growth, collaboration, and endless networking opportunities in the heart of tech.
Book a tour now
The attack targeted the chain’s club check-in and visit-registration system, which logs member access through turnstiles at each location. Basic-Fit operates in seven European countries: the Netherlands, Belgium, Luxembourg, France, Spain, Germany, and Austria.
The inclusion of bank account details in the leaked data is likely to be the most significant concern for affected members. In combination with names and dates of birth, IBAN numbers and bank details create the conditions for SEPA direct debit fraud and financial impersonation. Basic-Fit’s privacy statement confirms that the company collects bank account numbers from all members as part of the subscription process, used to process recurring membership payments.
Affected members have been warned to monitor their accounts closely and to be alert to phishing attempts that may use the exposed personal details to appear credible.
The breach arrives during a difficult period for data security in the Netherlands. In February 2026, telecom operator Odido, formerly T-Mobile Netherlands, suffered what cybersecurity experts described as one of the largest data breaches in Dutch history, with the personal data of approximately 6.2 million customer accounts exposed through an attack on its customer relationship management system. That incident included IBAN numbers, passport details, and dates of birth. The Basic-Fit breach is substantially smaller in scale but follows the same pattern of attacks targeting systems that hold aggregated customer identity and financial data in bulk.