The Latest / Data Security News

Gym App’s Cyber Security Gets a Work Out

January 3, 2017

2016 ended much like it started. No, I’m not talking about the latest celebrity lost to the world, but with news of another cyber security incident. This time it is PayAsUGym over in the UK that is one of the latest companies to suffer a data breach which puts its customers at risk from fraud and identity theft.


How much and what?

PayAsUGym takes a network-style approach that allows its customers to access a wide selection of gyms in the UK, rather than get membership at just one specific venue. Unfortunately for its customers, cyber criminals were able to break into the organization’s database and steal all kinds of information.

Exactly what was stolen and how many accounts were affected is the subject of some dispute at the moment. The hackers are claiming that as many as 500,000 customers have had their data stolen; while PayAsUGym says it believes the number to be closer to 300,000.

There’s also confusion and disagreement over exactly how much payment information was stolen. PayAsUGym said that a small number of credit and debit cards were partially compromised with hackers able to gain 4-10 digits of credit card numbers. But there is speculation that for more than a few customers the name on the cards and their expiry dates were compromised too – although not, it is claimed, the CVV code on the back of the card. Unfortunately for PayAsUGym customers, that level of detail is more than enough for the hackers to crack the rest of the card and carry out fraud attacks.

With incidents like these, when names, email addresses and significant elements of other personal or financial data has been compromised, it’s very likely that the hackers will be able to cause a lot of damage through convincing fraud and phishing attacks. As such, it’s been recommended that those affected cancel their cards and monitor their finances closely for unusual activity.

Response time matters

There’s another factor in this incident, and it is something we see far too often. The response to the hack was a little slow and it took too long to issue the warning to customers. In its statement, PayAsUGYm said:

“Once we were contacted by the hacker we responded responsibly and quickly. The hacker threatened to blackmail us. We contacted the police immediately who advised us not to respond to the hacker and, working with cyber security experts, we focused our attention on informing our customers, securing the system and changing servers. Customers were informed within two hours of us becoming aware that the breach included customer details.”

It’s not an easy thing to know when you’ve been hacked. If it was, we wouldn’t see this problem time and time again. As we’ve seen, in some recent extreme cases, it can sometimes even take years for a company to come clean and announce that it has been hacked.

But if there is one thing we can learn form 2016, it is that organizations need to invest in better tracking of network activity and warning systems that can immediately highlight the unusual. That’s the only way they can even start to give themselves a fighting chance against hackers.