UK health club chain Total Fitness has left a sizable database filled with members’ personal information unsecured. The breach was uncovered by cybersecurity researcher Jeremiah Fowler, who reported that over 474,000 images of members and staff, including men, women, and children, were stored in a database that was unprotected and accessible without a password.
The database contained various images, including photos of members’ faces. These were either submitted by the members during online registration or taken by staff during on-site registration.
According to Fowler, the database was 47.7GB in size. It contained images of identity documents, bank and payment card information, phone numbers, and, in some rare instances, immigration records, according to Fowler.
He also reported that approximately 97 percent of the database consisted of members’ images. However, Total Fitness disputed the severity of the data breach, arguing that members’ images made up only a “subset” of the database and most images did not include personally identifiable information.
“This raises privacy concerns regarding how companies collect images of members or customers, how they are stored, how long they are kept, and who has access to them,” Fowler said. “Many people choose to stay private online and do not publicly share images of themselves, their friends, families, or children.
“Nearly all social media accounts offer users the ability to have a private profile and have strict control over who can access their content. However, this doesn’t seem to be the case for member-uploaded images on Total Fitness platforms. It is hypothetically possible that the images stored in the backend database are potentially retained even after being deleted by the member. This would potentially explain why the database contained images of sensitive documents,” he added.
Total Fitness maintains that no evidence suggests unauthorized access to the database, except for Fowler’s. The breach has been reported to the UK’s data regulator, the Information Commissioner’s Office (ICO), for investigation.