Total Fitness, a large health club company with locations throughout Northern England and Wales, revealed a major breach of information in June 2024.
Highlights
- Jeremiah Fowler, a cybersecurity researcher, discovered an unencrypted database holding more than 474 000 photos totaling 47.7GB in size, all related to Total Fitness clients and workers.
- Total Fitness admitted the breach, audited member photographs, deleted the exposed images, and contacted the UK's Information Commissioner's Office (ICO).
Overview of the Data Breach
Total Fitness, a UK-based gym business with over 100,000 members and 15 sites in northern England and Wales, experienced a significant data breach in June 2024. A non-password secured database comprising photos of members, workers, and children was made public online. The disclosed data contained:
- Facial images and profile pictures of members and employees
- Personal screenshots containing sensitive information like passports, credit cards, utility bills
- Names, email addresses, phone numbers, home addresses
- Bank account information and payment details of some members
- Immigration records of some employees
The initial attack vector and particular vulnerabilities that permitted the intrusion are yet unknown. Total Fitness has not offered information about how the attackers obtained access to their computers and disclosed the database.
Jeremiah Fowler found the unprotected database in mid-June 2024. It is unclear how long the database was publicly available before it was found. Fowler contacted Total Fitness about the incident, and the database was secured around a week after the initial report. The company carried out a complete assessment, identified the impacted photographs, removed them, and alerted the UK Information Commissioner's Office.
The perpetrators of the incident are yet unknown. No hacker gang has taken credit. Possible motivations may include:
- Financial gain through sale of sensitive data on dark web markets
- Extortion attempts targeting Total Fitness or individual members
- Malicious intent to cause reputational damage or disruption to the company's operations
Impact Analysis
Exposure to such a large amount of sensitive data implies various risks:
- Identity Theft and Fraud: The availability of PII and financial information increases the risk of identity theft and fraud. Cybercriminals could use this information to impersonate someone, open false accounts, or carry out illicit activities.
- Privacy Violations: The hack raises serious privacy issues, particularly given the inclusion of photographs and sensitive papers. The possibility of using these photos to create deepfakes or other illicit operations is a big issue.
- Reputational Damage: The breach has had a significant negative impact on Total Fitness' reputation. Members and the general public may lose trust in the company's ability to protect their personal information, potentially resulting in membership and revenue losses.
- Legal and Regulatory Consequences: Total Fitness may risk legal action and sanctions for failing to protect personal data in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The Information Commissioner's Office (ICO) has been contacted and will likely examine the incident.
Lessons Learned
Following the Total Fitness UK data breach, here are the lessons learned:
Lack of Basic Security Measures
The attack compromised approximately 500,000 pictures of Total Fitness subscribers and employees, including sensitive personal information such as passports and financial information. This was due to a non-password secured database that was openly available online. This huge breach was allowed by a lack of basic security protections, such as access limitations.
Importance of Data Minimization
The database contains excessive personal data, such as photos of members' children, immigration papers, and other sensitive documents that were very likely unneeded for Total Fitness to have. Organizations should only gather and maintain personal information that is legitimately required.
Need for Robust Data Governance
There are issues about how Total Fitness obtained photographs, how they were stored, who had access, and the data retention regulations. Robust data governance standards are required to ensure the proper management of personal data throughout its lifecycle.
Transparency and Notification
While Total Fitness claimed only a tiny subset contained personally identifiable information (PII), the researcher calculated that 97% were member photos. Concerns were also raised regarding Total Fitness' approach for notifying affected individuals.
Regulatory Scrutiny and Loss of Trust
The hack prompted questions about Total Fitness' security protocols and data protection compliance. It was investigated by the UK's Information Commissioner's Office (ICO), putting its reputation and customer trust at risk.
