Data breach at New York Sports Clubs owner exposed customer data

Town Sports International, the parent company of New York Sports Clubs and Christi’s Fitness gyms, is mopping up after a security lapse exposed customer data.

Security researcher Bob Diachenko received a tip from a contact, Sami Toivonen, about an unprotected server containing almost a terabyte of spreadsheets representing years of internal company data, including financial records and personal customer records. But because there was no password on the server, anyone could access the files inside.

The server was exposed for almost a year, Diachenko told TechCrunch.

Town Sports pulled the server offline a short time after Diachenko contacted the company. He shared his findings exclusively with TechCrunch, which independently verified the authenticity of the data by confirming with customers details found in the spreadsheets.

Spreadsheets found on the server contained customer names, postal addresses, email addresses and phone numbers. The data also contained when a customer checks-in and at which gym location. Some also had notes on customer accounts, such as complaints and when customers were past due on a missed membership payment.

Chief executive Patrick Walsh did not respond to several requests for comment, which also asked if the company planned to inform customers of the security lapse.

Town Sports was forced to shutter its 185 gyms on the U.S. east coast after COVID-19 was declared a pandemic in mid-March. By the end of March, the company told financial regulators it had about 588,000 members.

One of the spreadsheets found on the exposed server showed that Town Sports had just 7,100 paying customers by mid-May, while 566,000 customers had their gym memberships frozen.

Town Sports began freezing accounts and refunding membership fees after the company continued to charge customers even after the lockdown began, a move that drew a threat of legal action from New York attorney general Letitia James, who accused the gym chain of “ripping off” its members.

The same spreadsheet still had customer data on some 665,000 cancelled accounts.

Earlier this month the gym chain filed for bankruptcy, just as states began allowing gyms to reopen, albeit with reduced capacity and safety measures in place.