U.S. Fitness Chain Town Sports International Suffered Data Breach – More Than 600K Customers Affected

Recently, the U.S. fitness chain the Town Sports International has suffered a data breach, in which more than 600,000 records of its members and employees have been exposed and available publicly on the web without any password or any other authentication.

Town Sports International is the proprietor of well-known fitness centers and gyms in the United States that also include New York Sports Clubs, Boston Sports Clubs, Philadelphia Sports Clubs, Washington Sports Clubs, Lucille Roberts, and Total Woman Gym and Spa.

Timeline of the exposure

The cybersecurity experts Toivonen alerted the security research Diachenko regarding the exposed database; he affirmed that the database was first seen in the wild 11 months ago on November 30, 2019. That’s why Diachenko sends a reliable revelation notice to Town Sports on September 21, 2020.

However, the whole database has been guarded one day later, on September 22, 2020. They also stated that they dont know if any unauthorized parties entered the data while it was flashed, but affected customers and staff could understand the situation well.

Moreover, the Town sport International asserted that their investigation shows that all the unsecured databases can be exposed, stolen, and struck within just a few hours of exposure.

Data involve

According to the Comparitech research, the customer and employee records were collected in an Amazon S3 bucket, and each record included all these following info:-

  • Full name
  • Street address
  • Phone number
  • Email address
  • Last four digits of credit card
  • Credit card expiration date
  • Billing history

Apart from this, no account passwords, CVVs, or full credit card numbers were collected in the database. As Diachenko analyzed a database that contained the user records for almost 600,000 members and staff, and it also contained personal information.

Apart from this, to be safe, it is safer to consider that someone, other than the researchers, may have obtained the data and be on the outlook for targeted phishing emails.

According to the cybersecurity researchers, “Scammers can utilize the database’s data to make the message seem more acceptable and convincing. As Phishing messages usually comprise links to phishing pages that seem authentic and often similar to its official website.” 

But Comparitech asserted that “the threat actors design the website in such a manner that users will get confused and then the threat actor steal passwords or payment info.”

The experts are still investigating the whole matter and are now trying to track down the actual attacker. They also affirmed that they would notify each detail regarding the conflict so that the data can be secured as soon as possible.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read: Shopify Hacked – Two Rogue Employees Stole Customers Transaction Data

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Palo Alto Networks PAN-OS Zero-day Under Active Attack

In a recent security alert, Palo Alto Networks has disclosed a critical vulnerability within its…

9 hours ago

DuckDuckGo Launches Privacy Pro : 3-In-1 Service With VPN

DuckDuckGo is a search engine that takes users' privacy seriously. It does not track or…

10 hours ago

Wiz to Acquire Gem Security for $350M to Address Cloud Security

Wiz, a leading cloud security company, has announced its acquisition of Gem Security for $350…

15 hours ago

Critical Bitdefender Vulnerabilities Let Attackers Gain Control Over System

Bitdefender GravityZone Update Server (versions 6.36.1, Endpoint Security for Linux, and Endpoint Security for…

15 hours ago

Ukrainian Hackers Hijacked 87,000 Sensors to Shut down Sewage System

Ukrainian hackers have successfully infiltrated and disabled a vast network of industrial sensors and monitoring…

16 hours ago

Zscaler Acquires Airgap Networks to Enhance Zero Trust SASE

Zscaler has announced the acquisition of Airgap Networks, a company renowned for its agentless segmentation…

18 hours ago