UK Health Club Total Fitness exposes customer personal info and payment card data
Learn More
Total Fitness, a members-only health club chain with 15 locations in North England and Wales, experienced a significant KYC (Know Your Customer) data breach.
Cybersecurity researcher Jeremiah Fowler discovered a misconfigured database that left personal details and photos of members and staff exposed online. The database, found to contain 474,651 images and over 47.7 GB of data, was accessible without any password or security authentication.
The exposed data included:
- Full names
- Utility bills
- Credit cards
- Phone numbers
- Email addresses
- Home addresses
- Passports with employees’ immigration details
The dataset also included facial images of gym employees, members, and children, some of which were taken during membership processes with the Total Fitness logo in the background. Most images were self-submitted by members or their parents/guardians.
It's unclear how long the database's was publicly accessibile, and whether it had been accessed by malicious actors.
Total Fitness has initiated an audit, contacted affected members, and removed the exposed images. The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has been notified, and Total Fitness is cooperating with their inquiries.
