Account Takeovermedium

Data Breach at a Local Gym Chain

A 12-branch gym chain suffered a data breach exposing member names, emails, phone numbers, and hashed passwords — all because of a single unpatched software vulnerability.

Regional gym chain (UK)·2023·2 min read

Attack Chain

  1. 1
    Unpatched software vulnerability identified
  2. 2
    Automated exploit tool used to gain access
  3. 3
    Member database extracted silently
  4. 4
    Breach undetected for 11 days

Background

A regional gym chain with 12 locations and around 8,000 members used a membership management platform that handled bookings, payments, and customer accounts. The software had a known security vulnerability that the gym's IT contractor had not yet patched.

The Attack

An attacker discovered the outdated software version and used an automated tool to exploit the known vulnerability. They gained access to the database and extracted a file containing all member records: full names, email addresses, phone numbers, dates of birth, hashed passwords, and the last four digits of payment cards. The breach went undetected for 11 days.

Response

The breach was discovered when a member emailed to ask why they were receiving phishing emails using their gym-specific email address (an alias they only used for the gym). An IT audit confirmed the breach. The gym notified the ICO, sent an email to all affected members, and offered 12 months of credit monitoring.

Outcome

The ICO issued a reprimand. Several members received targeted phishing emails and one reported that a hashed password had been cracked and used to access another account where they reused the same password. The gym spent £30,000 on breach response and PR.

Key Takeaways

  1. Use a different password for every account — a password manager makes this easy and takes about 30 minutes to set up
  2. When a gym, club, or service you use suffers a breach, change your password there immediately and on any account using the same password
  3. Use an email alias for less-trusted services (SimpleLogin and Apple's Hide My Email are good options) so you know exactly where a breach came from
  4. Software patches are not optional — known vulnerabilities are the most common way businesses get hacked
  5. Check whether your email has been in a breach at HaveIBeenPwned.com — it's free and takes 10 seconds

How to Prevent This

All guides
intermediate

Know what the ICO requires from you if customer data is breached

If your business experiences a data breach — someone's personal data is accessed, lost, or shared without authorisation — you may have legal obligations under UK GDPR. You must report a breach to the ICO (Information Commissioner's Office) within 72 hours if it is likely to result in a risk to the rights and freedoms of the people whose data was affected. This includes breaches that expose names, contact details, financial data, health data, or anything that could be used against someone. You must also inform the affected individuals if there is a high risk to them. The 72-hour clock starts when you become aware of the breach — which is why having a basic response plan matters. Knowing who to call (your IT provider, a solicitor, the ICO) before a crisis happens means you don't lose hours figuring it out under pressure. The ICO has a self-assessment tool at ico.org.uk to help you decide whether a breach needs reporting. Even if you decide not to report, you should document the breach and your reasoning. Fines for non-compliance are real and can affect small businesses — the ICO has fined organisations as small as a sole trader.

See: Data Breach at a Local Gym ChainSmall Business Security
data breachunpatched softwarepassword reusepersonal dataICO

More in Account Takeover

2022high

The Fake Amazon Seller Account Takeover

2 min readAccount Takeover
2023high

The Café Owner Who Lost Access to Everything

2 min readAccount Takeover