US fitness chain Town Sports has suffered a data breach, a database belonging to the company containing the personal information of over 600,000 people was exposed on the Internet.
Town Sports International Holdings is an operator of fitness centers in the Eastern United States, California and in Switzerland. Its brands include New York Sports Clubs, Boston Sports Clubs, Philadelphia Sports Clubs, Washington Sports Clubs, Lucille Roberts, TMPL Gym and Total Woman Gym and Spa.
Town Sports International lost the battle with the Coronavirus outbreak and filed for bankruptcy on September 14, 2020.
Data breach hunter Bob Diachenko discovered a database belonging to the company exposed online.
The archive contained records for almost 600,000 members or staff, exposed info includes names, addresses, phone numbers, email addresses, last four digits of credit cards, credit card expiration dates, and a member’s billing history.
“Fitness chain Town Sports International has exposed 600,000 records of members and employees on the web without a password or any other authentication required to access it, Comparitech researchers report.” reads the report published by Comparitech, “Comparitech security researcher Bob Diachenko received a tip from cybersecurity expert Sami Toivonen about the exposure on September 21, 2020.”
The expert confirmed that the database did not contain financial data or account passwords.
Diachenko notified Town Sports and shared his findings with the journalist Zack Whittaker from Techcrunch on September 21, 2020.
The good news is that the company secured the database the day after it was informed of the data leak.
At the time it not clear how long the database remained exposed online and if any unauthorized persons had accessed it in the past.
Town Sports should remain vigilant, threat actors could use the exposed data to carry out several malicious activities.
“In the wrong hands, cybercriminals could use the information stored in the database to scam and phish Town Sports customers and employees.” concludes Comparitech.
“Scammers can use the database’s personal information to make the message seem more convincing. Phishing messages usually contain links to phishing pages that look authentic and often identical to the official website, but in fact are copies designed to steal passwords or payment info.”
(SecurityAffairs – hacking, Norway)