‘Town Sports,’ the owner of gym and fitness club chains’ New York Sports Club,’ ‘Boston Sports Clubs,’ ‘Philadelphia Sports Clubs,’ ‘Washington Sports Clubs’, ‘Lucille Roberts’, and ‘TMPL Gym Total Woman Gym and Spa,’ has exposed the sensitive details of 600,000 of its employees and members. The security incident resulted from a database misconfiguration that made it accessible from anyone with a web browser, not requiring any authentication or passwords.
The type of data that was contained in the database includes the following:
Not all database entries contained the full set of details mentioned above, but we’re still talking about highly sensitive information in every case. The date when the database first appeared on specialized search engines is November 30, 2019.
Town Sports eventually secured the database on September 22, 2020 - a day after the researchers who discovered the leaky bucket informed them of the fact. This practically means that the chances of this data not having reached multiple hackers already are slim to non-existent.
Related: “Telmate” Prison Communications Exposes Personal Data of Millions
A typical way for malicious actors to use these details would be to engage with the victims in phishing attacks, especially for acquiring full credit card numbers. All of the rest is already available, so hackers would only need a few missing digits to unlock their access to “unlimited” purchasing of online goods using other people’s money.
If you are among the affected individuals, be very careful with incoming communications that arrive in the form of emails, SMS, or even phone calls. Crooks know a lot about you, and they are masters of social engineering.
This incident couldn’t have come at a worse time for ‘Town Sports,’ their clients, and their employees. COVID-19 has forced the company to close down 185 gyms and let most of its personnel go. Additionally, they continued to charge members allegedly by mistake.
Ten days ago, ‘Town Sports’ filled for Chapter 11 bankruptcy, reporting liabilities of $500 million. That said, expecting any form of identity protection services from them is unrealistic at the moment, and from what we know, they didn’t even inform the exposed individuals yet.