According to researcher Jeremiah Fowler, the database, which was publicly accessible without a password, contained 474,000 images of men, women and children. The unprotected database, totalling 47.7GB, also included identity documents, bank and payment card information, phone numbers and, in some rare cases, immigration records.
“This raises privacy concerns regarding how companies collect images of members or customers, how they are stored, how long they are kept and who has access to them,” Fowler told The Register. He pointed out that the images stored could potentially be retained even after being deleted by the member, explaining the presence of sensitive documents in the database.
Total Fitness locks down
Total Fitness has said only a small number of the images contained personally identifiable information (PII), but Fowler’s findings suggest otherwise. He says approximately 97% of the images were of members. The company has since locked down the database and initiated a thorough examination, identifying 114 images with PII that have now been removed.
Chris Denbigh-White, CSO at Next DLP, highlighted the severity of the situation to Computing. He said, “This underscores a commonplace failing in cybersecurity: Not implementing the most basic and elementary security controls. Consumers are tired of hearing of sensitive data being left openly available on the internet to be simply ‘copied and pasted.”
Shobhit Gautam, staff solutions architect at HackerOne, remarked on the broader issue: “This highlights how a lot of organisations that aren’t as highly regulated by compliance as the financial and IT industry fail to implement either the right or adequate security controls in their environment to safeguard themselves from adversarial attacks.”
Multiple clubs affected
Total Fitness says it has informed the Information Commissioner’s Office (ICO), and affected individuals will be contacted. However, the incident has raised significant concerns about the chain’s security practices.
Total Fitness operates 15 clubs across northern England and Wales, serving over 100,000 members.
Jerome Brock, VP of IT and security at Censys, emphasised the potential consequences: “There are multiple dangers of having unprotected databases. In the best case, they lead to erosion of trust, both customer and public. In the worst case, they lead to monetary/financial impacts,” he said.
The exposure of these images, including those of children, is particularly worrying given the potential for abuse in cybercrime, such as identity theft and financial fraud. Fowler highlighted the growing threat of AI and deepfake technology, where such images can be exploited in malicious activities.
Total Fitness has acknowledged the incident and is taking steps to prevent a recurrence, it says. As the investigation continues, the company will need to restore trust among its members and reinforce its data protection measures to avoid further breaches and potential regulatory penalties.