Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database containing 474,651 images belonging to Total Fitness, a health club chain with 15 locations across North England and Wales.
The database, which was 47.7 GB in size, included personal screenshots, profile pictures of members and their children, and facial images of gym employees.
Some images contained highly sensitive information such as passports, credit cards, and utility bills.
Fowler reported the breach to vpnMentor, and the database was closed nearly a week later. However, it remains unclear how long the database was publicly accessible or if anyone else gained access.
The exposed images raise serious privacy concerns, especially in the age of artificial intelligence (AI) and facial recognition technology. Criminals could use these images for impersonation, fraud, blackmail, or other malicious activities.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
Fowler highlighted the risks of AI-generated deepfakes, which can be used to create compromising or sexually explicit content involving the victim’s likeness.
The UK’s National Crime Agency (NCA) has already issued warnings about the rise in financial sextortion schemes targeting underage children.
The breach underscores the need for companies to implement robust data security measures to protect the personal information of their members and employees.
This image shows a screenshot of a member’s account that displays PII, including account ID number, name, email address, phone number, and home address.
Total Fitness has taken steps to address the issue, including conducting a full audit of all member images and notifying the Information Commissioner’s Office (ICO).
The company stated, “We are communicating to all members whose images we have identified, and such images have been removed.”
They emphasized their commitment to protecting their members’ privacy and ensuring such incidents do not recur.
Fowler commended Total Fitness for their professionalism and responsibility in handling the data incident.
This breach is a stark reminder of the importance of data security and the potential risks associated with exposed personal information.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
Snap Fitness is celebrating an outstanding year across the UK & Ireland, breaking records across a number of key performanc
Keely Hodgkinson was crowned 2024's Sports Personality of the Year last night – sporting a stunning custom Nike gown – making her the fourth woman in a row
Sign up to the Independent Climate email for the latest advice on saving the planetGet our free Climate emailGet our free Climate emailSmartwatches and fitness
Leigh McLean's husband Colin loved the gym and was always really fit until multiple sclerosis changed his life.The 57-year-old was diagnosed over a decade ago b