UK-based health club chain Total Fitness has suffered a major data breach, exposing nearly half a million images, cybersecurity researcher Jeremiah Fowler revealed today.

The leaked data, totaling 47.7 GB, includes facial recognition data of gym members and staff, photos taken during the membership process, and alarmingly, highly sensitive documents like passports, credit cards, and utility bills.

Scope of the Breach

The Total Fitness data breach has exposed a massive trove of sensitive information, comprising over 474,651 images. This includes not only facial recognition data used for gym access but also photos taken during the membership onboarding process, which could reveal sensitive details about members’ health and fitness. Additionally, the leak exposed Personally Identifiable Information (PII) through uploaded documents like passports, credit cards, and utility bills, leaving members vulnerable to a range of threats.

Buy Me A Coffee

Potential Impact

The potential impact of this breach is severe. The exposed PII could be exploited for identity theft, enabling criminals to open fraudulent accounts or commit crimes in the victims’ names. The compromised financial information also raises concerns about financial fraud, with the potential for unauthorized transactions and significant financial loss. Furthermore, the leaked images could be used for blackmail, harassment, or deepfake scams, posing a broad spectrum of cyber threats to the affected individuals.

Total Fitness has yet to issue an official statement regarding the breach. It is unclear how the leak occurred or what measures the company is taking to mitigate the damage and protect affected members.

CERT-In Finds Multiple Bugs in Node.js that Can Be Used to Obtain Sensitive Info