Photos of 500K members of UK health club Total Fitness leaked due to unprotected database

Cybersecurity researcher Jeremiah Fowler discovered a non-password protected database belonging to Total Fitness, containing 474,651 pictures of members.

Total Fitness is a chain of fitness health clubs with fifteen locations across Northern England and Wales. It has over 100,000 members and employs about 60,000 men and women.

Since the online database wasn’t protected by a password, it was accessible to anyone with an internet connection. It not only contained images and profile pictures of almost half a billion (former) members. Fowler also found screenshots with passports, credit card information, utility bills and other personal identifiable information.

ICO has been informed about the data breach

Jeremiah Fowler immediately contacted Total Fitness. A week later the database was closed. It’s unclear how long the database was publicly accessible and how many people downloaded the full content.

“We are a members-only club and as part of our joining and access control processes we ask our members to provide a photo of themselves. This protects their membership from being used by someone else and helps us to identify members should we need to locate them in one of our facilities,” Total Fitness says in a statement to vpnMentor.

The chain of fitness clubs promises to inform all affected members. The Information Commissioner’s Office (ICO), the British data protection authority (DPA), has been notified.

Fowler: ‘Be aware of the dangers of AI’

The security researcher is warning customers for potential risks, such as identity fraud, phishing and blackmail.

Victims should also be aware of the potential risks of artificial intelligence (AI). AI enables scammers to create deepfake images and videos, which in turn can be used to deceit and extort both businesses and individuals.

According to Fowler, victims of deepfakes should immediately report the misuse to the website, social media platform or developer of an application. They should also collect as much evidence as possible of the abuse and report it to the local authorities.

Furthermore, Fowler recommends victims to inform their friends, family members and co-workers that someone is abusing their image or identity. Finally, you can use the advanced privacy settings in social media accounts to restrict access to your photos and personal information.