Data breach at Total Fitness exposes personal information of members

Total Fitness, a health club chain in the UK, has experienced a significant data breach involving a non-password-protected database that exposed hundreds of thousands of personal images and private data. Cybersecurity researcher Jeremiah Fowler at vpnMentor discovered the breach, which involved 474,651 images from the Total Fitness database, some containing personally identifiable information (PII).

The breach included various images, such as personal screenshots and profile pictures of members and their children. Fowler reported that the database, totaling 47.7 GB, also contained sensitive documents like passports, credit cards, and utility bills. Employee images were also part of the exposed data.

Total Fitness, established in 1993, operates 15 health clubs across Northern England and Wales, with over 100,000 members and 600 employees. The leaked images included close-up facial images taken by staff for gym profiles and personal pictures uploaded by members. Fowler identified individuals using an open-source reverse image search tool, which matched the leaked images to members’ names and other personal data.

One particularly concerning discovery was an image linked to a gym member’s OnlyFans page, potentially exposing the individual to phishing attacks and extortion. The duration of the database’s exposure is unknown, and it remains unclear if any threat actors accessed it before it was secured.

Total Fitness responded promptly to the breach notification, securing the database a week after the discovery. They issued a statement explaining the use of member images for legitimate business purposes, such as preventing membership misuse and identifying members in their facilities. The company emphasized that they are communicating with affected members and have removed the identified images. They also notified the UK’s Information Commissioner’s Office (ICO) and cooperate with any investigations.

Fowler did not determine the source of the images—whether from Total Fitness’s apps or website portal. Total Fitness offers apps for both Apple and Android devices, allowing users to manage membership payments and access digital workouts and personal trainers.