Town Sports International Holdings, Inc., one of the largest owners and operators of fitness clubs in the U.S. East Coast, exposed the personal and financial information of over 600,000 members via an exposed database that was publicly accessible for at least a year before it was discovered.
Security researcher Bob Diachenko, who specialises in the discovery of unprotected online databases, was recently alerted about the existence of the unprotected database owned by Town Sports by cyber security expert Sami Toivonen who said the database was first observed in the wild in November last year.
Diachenko found that the database contained at least 600,000 records of members and employees that included names, contact information such as addresses and phone numbers, billing histories, and limited payment information such as the last four digits of credit cards and credit card expiration dates. Public access to the database was closed on 22nd September, a day after Diachenko reached out to the company to report the exposure.
The unprotected database was discovered a few days after Town Sports filed for Chapter 11 bankruptcy, having suffered severe financial losses and loss of members due to prolonged shutdown necessitated by the COVID-19 pandemic. The company owns a number of gyms and fitness clubs such as New York Sports Clubs, Boston Sports Clubs, Philadelphia Sports Clubs, Washington Sports Clubs, Lucille Roberts, and Total Woman Gym and Spa.
"In the wrong hands, cybercriminals could use the information stored in the database to scam and phish Town Sports customers and employees. Staff and gym members should be on the lookout for emails, text messages, and phone calls from fraudsters posing as Town Sports or a related company.
"Scammers can use the database’s personal information to make the message seem more convincing. Phishing messages usually contain links to phishing pages that look authentic and often identical to the official website, but in fact are copies designed to steal passwords or payment info. Affected staff and customers could also see an increase in spam to their inboxes," Diachenko said in a blog post. sports
Commenting on the massive exposure of personal records by Town Sports, Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, said that as businesses struggle to control costs with reduced revenue due to the pandemic, it’s normal for them to look to options like cloud hosted storage. Even though properly securing that storage should be a priority, we continue to see incidents of improperly secured S3 buckets and databases being reported.
"Each cloud provider offers APIs that can be used to automate the configuration of their cloud storage offerings. Additionally, audit logging is available to monitor for unexpected usage patterns such as successful access attempts by third parties.
"In the case of Town Sports, their Chapter 11 proceedings could be a contributing factor to the misconfiguration if they have reduced IT staffing levels. In such a situation, increased controls should be implemented on the underlying data as it could be considered an asset by the bankruptcy courts," he added.