Total Fitness Data Breach: Photos of Nearly 500k Members Leaked

Penka Hristovska
Penka Hristovska Senior Editor
Penka Hristovska Penka Hristovska Senior Editor

UK health club chain Total Fitness has left a sizable database filled with members’ personal information unsecured. The breach was uncovered by cybersecurity researcher Jeremiah Fowler, who reported that over 474,000 images of members and staff, including men, women, and children, were stored in a database that was unprotected and accessible without a password.

The database contained various images, including photos of members’ faces. These were either submitted by the members during online registration or taken by staff during on-site registration.

According to Fowler, the database was 47.7GB in size. It contained images of identity documents, bank and payment card information, phone numbers, and, in some rare instances, immigration records, according to Fowler.

He also reported that approximately 97 percent of the database consisted of members’ images. However, Total Fitness disputed the severity of the data breach, arguing that members’ images made up only a “subset” of the database and most images did not include personally identifiable information.

“This raises privacy concerns regarding how companies collect images of members or customers, how they are stored, how long they are kept, and who has access to them,” Fowler said. “Many people choose to stay private online and do not publicly share images of themselves, their friends, families, or children.

“Nearly all social media accounts offer users the ability to have a private profile and have strict control over who can access their content. However, this doesn’t seem to be the case for member-uploaded images on Total Fitness platforms. It is hypothetically possible that the images stored in the backend database are potentially retained even after being deleted by the member. This would potentially explain why the database contained images of sensitive documents,” he added.

Total Fitness maintains that no evidence suggests unauthorized access to the database, except for Fowler’s. The breach has been reported to the UK’s data regulator, the Information Commissioner’s Office (ICO), for investigation.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment