A significant data breach at Total Fitness, a UK-based health club chain, has compromised nearly 475,000 personal images and private data from a non-password-protected membership database. The leak, identified by Jeremiah Fowler at vpnMentor, includes profile pictures, personal screenshots, and sensitive documents such as passports, credit cards, and utility bills. Some images, including close-ups used for gym profiles, even contained personal photos of members and their children. The breach also exposed an image linked to a member’s OnlyFans page, heightening the risk of phishing and extortion.
Total Fitness, established in 1993 and operating 15 health clubs across Northern England and Wales, along with two fitness apps, has over 100,000 members and 600 employees. The researcher’s use of open-source reverse image search tools allowed easy identification of members, raising serious privacy concerns. The database was closed a week after the leak was reported, but the duration it remained unsecured is unclear, leaving questions about prior unauthorized access. Additionally, it is not confirmed whether health-related data was also exposed or if the leak affected former members.
In response to the leak, Total Fitness assured members that images have been removed and the Information Commissioner’s Office (ICO) has been notified. The company explained that member photos are collected to prevent membership fraud and assist in identifying members at their facilities. Total Fitness is communicating directly with affected members to address the issue. The data breach’s origins, whether from apps or the website, remain undetermined, as Total Fitness’s app functionality includes membership management, payments, and access to digital workouts.
The Total Fitness incident follows earlier reports, such as the exposure of 151 million MyFitnessPal app users in January and findings on health and fitness apps sharing user data with third parties. Cybernews has reached out to Total Fitness for further comment, awaiting their detailed response. This breach underscores ongoing vulnerabilities in fitness and health-related data security, prompting further scrutiny and necessary precautions in data handling and protection practices across the industry.
