Town Sports International Data Breach Exposed Personal Information of 600,000 Members


An unsecured server belonging to the popular Town Sports fitness chain has exposed over 600,000 customers and staff members’ personal information.

Customer and employee records were stored in an unsecured Amazon S3 bucket, and included:

• Full names
• Street addresses
• Phone numbers
• Email addresses
• Last four digits of credit cards
• Credit card expiration dates
• Billing history

Fortunately, the database did not store any account passwords or full credit card details.

According to security researcher Bob Diachenko who analyzed the database, the server was unprotected for nearly one year, leaving room for unauthorized individuals to browse and steal customer information. Town Sports secured the server just a day after Diachenko disclosed his findings on September 21.

“We do not know if any unauthorized parties accessed the data while it was exposed, but affected customers and staff could assume as much,” Comparitech researchers said. Our research indicates unsecured databases can be found, stolen, and attacked within just a few hours of exposure.”

If cybercriminals had found and accessed the database, they could use the information to target gym and staff members. Town Sports members should keep an eye out for suspicious emails or phone calls. Never share personal or financial information via phone, email, or chat with any individuals who may contact you online.

Town Sports International owns multiple fitness centers and gyms across the US East coast, including New York Sports Clubs, Boston Sports Clubs, Philadelphia Sports Clubs, Washington Sports Clubs, Lucille Roberts, and Total Woman Gym and Spa.

This recent security incident could not come at a worse time, as the fitness chain filed for bankruptcy on September 14. The company has not issued an official statement or comment regarding the data breach.