Basic-Fit Data Breach Exposes Personal and Banking Details of One Million Members

European gym chain Basic-Fit disclosed on April 13, 2026, that a data breach occurring on April 8 exposed personal and banking information of approximately one million members across Europe, with around 200,000 members in the Netherlands and between 150,000 and 200,000 members in Belgium among those affected. The stolen data included names, home addresses, email addresses, phone numbers, dates of birth, bank account numbers, and detailed membership information. The breach was detected and blocked within minutes, but data had already been downloaded before access was cut off. On the same day, online travel platform Booking.com separately disclosed that unauthorized third parties may have accessed booking details and contact information of some of its users.

Bank account numbers and gym visit logs among stolen data The scope of the compromised membership data at Basic-Fit extended beyond basic contact details. According to the company, the breach also exposed subscription type, payment balance, pass number, an internal identifier, and logs of recent gym visits from the past week, including the specific clubs visited and the times of those visits. The type of mobile device used to validate visits — such as the brand of a phone — was also among the downloaded information. Basic-Fit stated that passwords and identity documents were not compromised, noting that the company does not hold copies of members' identity documents. The company said it found no indications that the leaked data had been misused or made publicly available, and that it had engaged external specialists to continuously monitor whether the downloaded information appeared online.

Breach reported to Dutch regulator within 72-hour legal window Basic-Fit reported the incident to the Dutch Data Protection Authority within the 72-hour window required by law, the company confirmed. The breach affected members across six countries where Basic-Fit operates: the Netherlands, Belgium, France, Spain, Luxembourg, and Germany. Basic-Fit operates more than 2,150 gyms in Europe and serves approximately five million members in total, meaning roughly one in five members had data downloaded in the incident. The company told affected customers that no immediate action was required on their part, but urged them to remain alert for suspicious communications. The Spanish consumer association Consumur advised members to monitor their bank accounts closely for unauthorized charges or unusual transactions in the coming days.

Booking.com warns of phishing after separate security incident Booking.com notified customers via email that unauthorized third parties may have gained access to booking details and contact information, including names, email addresses, physical addresses, and phone numbers. In some cases, personal information shared with accommodation providers may also have been viewed, according to the company. A Booking.com spokesperson confirmed that financial data was not visible to the hackers. The company said it had changed the personal access codes of affected customers as a precaution and that the incident had since been resolved, with hackers no longer having access to customer data. Booking.com declined to disclose how many customers were affected, when the breach occurred, or how long the unauthorized access lasted. The platform warned customers to be vigilant about emails or phone calls from parties impersonating Booking.com or hotels, and stated it would never request credit card details via email, phone, text message, or WhatsApp. Booking.com said it was informing data protection authorities, including the Dutch Data Protection Authority, about the incident.

The EU's GDPR requires organizations operating in the European Union to notify relevant data protection authorities of personal data breaches within 72 hours of becoming aware of them. Phishing attacks — in which criminals impersonate trusted companies to extract financial information or credentials — are a common secondary risk following large-scale data breaches, as stolen personal details such as full names, phone numbers, and bank account numbers allow attackers to craft highly convincing fraudulent messages. The accumulation of data points such as IBAN numbers, dates of birth, and recent activity logs significantly increases the credibility of such impersonation attempts.

Both companies warned customers to treat unsolicited communications with caution. Basic-Fit reminded members never to provide passwords or sensitive financial information in response to emails or phone calls, and noted that the downloaded data could be exploited through phishing campaigns. Booking.com similarly stated it would never ask customers to make bank transfers outside its standard payment methods. The Spanish National Institute of Cybersecurity made its free helpline, number 017, available to citizens with security-related questions. No information on the identity of the attackers behind either breach was available as of April 13, 2026.