[BreachExchange] Data breach at New York Sports Clubs owner exposed customer data

Destry Winant destry at riskbasedsecurity.com
Thu Sep 24 10:25:23 EDT 2020 

https://techcrunch.com/2020/09/23/new-york-sports-clubs-owner-breach/

Town Sports International, the parent company of New York Sports Clubs
and Christi’s Fitness gyms, is mopping up after a security lapse
exposed customer data.

Security researcher Bob Diachenko received a tip from a contact, Sami
Toivonen, about an unprotected server containing almost a terabyte of
spreadsheets representing years of internal company data, including
financial records and personal customer records. But because there was
no password on the server, anyone could access the files inside.

The server was exposed for almost a year, Diachenko told TechCrunch.

Town Sports pulled the server offline a short time after Diachenko
contacted the company. He shared his findings exclusively with
TechCrunch, which independently verified the authenticity of the data
by confirming with customers details found in the spreadsheets.

Spreadsheets found on the server contained customer names, postal
addresses, email addresses and phone numbers. The data also contained
when a customer checks-in and at which gym location. Some also had
notes on customer accounts, such as complaints and when customers were
past due on a missed membership payment.

Chief executive Patrick Walsh did not respond to several requests for
comment, which also asked if the company planned to inform customers
of the security lapse.

Town Sports was forced to shutter its 185 gyms on the U.S. east coast
after COVID-19 was declared a pandemic in mid-March. By the end of
March, the company told financial regulators it had about 588,000
members.

One of the spreadsheets found on the exposed server showed that Town
Sports had just 7,100 paying customers by mid-May, while 566,000
customers had their gym memberships frozen.

Town Sports began freezing accounts and refunding membership fees
after the company continued to charge customers even after the
lockdown began, a move that drew a threat of legal action from New
York attorney general Letitia James, who accused the gym chain of
“ripping off” its members.

The same spreadsheet still had customer data on some 665,000 cancelled accounts.

Earlier this month the gym chain filed for bankruptcy, just as states
began allowing gyms to reopen, albeit with reduced capacity and safety
measures in place.

More information about the BreachExchange mailing list