Fitness chain Basic-Fit and booking website Booking.com both announce a data breach. At Basic-Fit, at least one million customers have been affected.
Two data breaches for the price of one. Both Basic-Fit and Booking.com announced yesterday that they were targeted by hackers.
In a public statement on Monday morning, Basic-Fit announced that it had identified ‘unauthorized access’ to the system that registers member visits. The intruder(s) were reportedly forced out after a few minutes, but this did not prevent personal customer data from being downloaded. Affected customers have been notified by email (see below).
One million affected customers
Basic-Fit reports that 200,000 members in the Netherlands are affected by the data breach. The originally Dutch fitness chain also has clubs in Belgium, France, Luxembourg, Germany, and Spain. In a response to ITdaily, the company says it is deliberately not sharing information about the number of affected customers per country, although it reportedly involves approximately one million customers in total. That is about one in five of the total customer base.
Initial investigation has shown that the following customer data may have been leaked:
- Email address
- First and last name
- Address and place of residence
- Phone number
- Bank account number
- Account holder
- Date of birth
- Membership information
Passwords for Basic-Fit accounts remained unaffected. Although customers do not need to fear that their accounts will be hacked, a significant amount of personal information is now out in the open. Cybercriminals are keen to get hold of this data to create personalized phishing emails. Basic-Fit requests customers to be extra vigilant.
It is not known whether the leaked data has already been published on the dark web or if the perpetrator(s) are demanding ransom from Basic-Fit. The fitness chain says it has reported the incident to the Dutch Data Protection Authority.
Booking.com data breach
Those who recently booked a hotel stay through Booking.com may also be affected. Booking.com notified customers of a security incident via email on Sunday evening. In addition to booking information, names, email addresses, phone numbers, and physical addresses were also reportedly visible to unauthorized parties.
“We recently detected suspicious activity where unauthorized third parties gained access to the booking details of some of our guests. As soon as we discovered these activities, we took measures to contain the issue. We have reset the PIN codes for these reservations and informed our guests. We can confirm that no financial data was compromised from Booking.com’s systems,” the company said in a statement to ITdaily.
For those affected by one of these data breaches—or both, if you are particularly unlucky—the same advice applies: be extra vigilant for suspicious emails that appear to come from Basic-Fit or Booking.com.
This incident is not a first for Booking.com. The company was fined nearly one million euros following an incident in 2018 that it reported far too late. This year, hackers took over the chat function of the website to lure hotel guests into a trap.
Dutch security debacles
There is currently no reason to assume that the incidents involving Basic-Fit and Booking.com are linked. However, there is a common factor: both companies are headquartered in the Netherlands. The Dutch government itself has recently shown multiple times that it is not setting a good example when it comes to cybersecurity.
Last month, the Ministry of Finance announced it had been targeted by hackers. Things have been going wrong at the Ministry of Justice for some time now. The ministry’s permanent ICT partner has been hacked twice since last summer.
This article originally appeared on April 13 and was republished with a response from Booking.com.