Data breach at New York Sports Clubs owner exposed customer data – TechCrunch


Town Sports International, the parent company of New York Sports Clubs and Christi’s Fitness gyms, is mopping up after a security lapse exposed customer data.

Security researcher Bob Diachenko received a tip from a contact, Sami Toivonen, about an unprotected server containing almost a terabyte of spreadsheets representing years of internal company data, including financial records and personal customer records. But because there was no password on the server, anyone could access the files inside.

The server was exposed for almost a year, Diachenko told TechCrunch.

Town Sports pulled the server offline a short time after Diachenko contacted the company. He shared his findings exclusively with TechCrunch, which independently verified the authenticity of the data by confirming with customers details found in the spreadsheets.

Spreadsheets found on the server contained customer names, postal addresses, email addresses and phone numbers. The data also contained when a customer checks-in and at which gym location. Some also had notes on customer accounts, such as complaints and when customers were past due on a missed membership payment.

Chief executive Patrick Walsh did not respond to several requests for comment, which also asked if the company planned to inform customers of the security lapse.

Town Sports was forced to shutter its 185 gyms on the U.S. east coast after COVID-19 was declared a pandemic in mid-March. By the end of March, the company told financial regulators it had about 588,000 members.

One of the spreadsheets found on the exposed server showed that Town Sports had just 7,100 paying customers by mid-May, while 566,000 customers had their gym memberships frozen.

Town Sports began freezing accounts and refunding membership fees after the company continued to charge customers even after the lockdown began, a move that drew a threat of legal action from New York attorney general Letitia James, who accused the gym chain of “ripping off” its members.

The same spreadsheet still had customer data on some 665,000 cancelled accounts.

Earlier this month the gym chain filed for bankruptcy, just as states began allowing gyms to reopen, albeit with reduced capacity and safety measures in place.



Source link

Recent articles

Some PlayStation 4 Assassin’s Creed Games Won’t Work On PlayStation 5

Ubisoft shared a blog post today explaining how cross-progression, cross-play, and backwards compatibility will work for certain games once next-gen consoles arrive. It’s...

What’s New on Netflix Canada This Week & Top 10s: October 30th, 2020

Primal starring Nicholas Cage is now on Netflix Canada No, that’s not Netflix’s Tiger King adaptation in the picture above starring Nicholas Cage but...

These Were the Wait Times in Disney World on October 30th!

When Disney World first reopened, it did so with noticeably low wait times and crowds. Magic Kingdom Recently, Disney has definitely seemed a bit busier...

TikTok Gets Another Reprieve From Order That Would Ban It in U.S.

WASHINGTON — A second federal judge on Friday blocked a Commerce Department order that would have effectively barred the video-sharing app TikTok from...

Trump Is Said to Set Aside Career Intelligence Briefer to Hear From Advisers Instead

WASHINGTON — President Trump has dispensed with intelligence briefings from a career analyst in favor of updates from political appointees including John Ratcliffe,...

Election Science Stakes: Energy – Scientific American

Steve Mirsky: For this energy installment of our pre-election podcast series I spoke once again to Scientific American editors Mark Fischetti and Andrea...

Leave a reply

Please enter your comment!
Please enter your name here