Updates on the data breach
Dear Members & Partners,
On March 26, 2024, we became aware of a data protection incident. We cannot rule out that personal data was accessed via specific URL links. This may include names, email addresses, photos, and member check-in data.
Upon becoming aware of this, we took immediate action. The breach has been closed since March 27, 2024. Our team is working tirelessly to further investigate the incident, its scope, and its impacts. Therefore, we have additionally engaged two companies specialized in IT forensics and IT security.
Following our initial intensive investigations, No PayPal, debit card, or credit card information of our members has been affected. To the best of our current assessment, these are older data sets. Additionally, we have determined that passwords are not part of the data leak. Members and partners who joined Urban Sports Club after September 16, 2020, are also not affected by the incident. All affected members have been successfully identified.
We have reached out to all affected current and former members via email and informed them about which specific data were part of the incident. As a precautionary measure, all members who joined after September 16, 2020, were also being informed that their data were not affected by the data breach.
The data leak was an individual human error and not a successful hacker attack.
The incident does not affect the current Urban Sports Club Cloud network or current Urban Sports Club databases. Initially, it was believed that a VPN was misconfigured, but it has now been revealed that the settings on a folder in a no longer used cloud environment were incorrect.
Our current Urban Sports Club Cloud did not need to be changed at any time as it is secure.
We truly regret that this incident occurred.
The relevant authorities, our members, and partners have been informed about the incident.
As soon as we have further insights, we will inform and update this page.
If you have any questions, please check our Frequently Asked Questions or contact us via this form.
Update April 25, 2024: After further internal investigations, especially using sophisticated image recognition methods, we were able to identify the members whose Urban Sports Club profile photos were affected. These members have been informed by us. We do not believe that potential access to the profile photo is associated with any risks for the members.
Frequently Asked Questions
So is my personal data online now?
The gap has been closed since March 27. If you were affected by the data leak according to our current state of knowledge, you have received an email from us.
Do I have to change my password?
Regardless of the incident, we recommend changing your password at regular intervals. Information on creating a password can be found on the website of the German Federal Office for Information Security (BSI).
What can I do now?
We ask you to be particularly vigilant in the near future. Regardless of the incident, we recommend that you change your password at regular intervals. You can find new developments about the incident on our blog.
What exact data is affected by me?
Based on our current knowledge, those affected have received information about which personal data is affected by the data leak.
What is Urban Sports Club doing to prevent this from happening again?
The incident does not affect the current Urban Sports Club Cloud Network or current Urban Sports Club databases. Instead, it concerns the backup files in a cloud environment that is no longer in use. Nevertheless, we are taking this as an opportunity to carefully review our entire IT security infrastructure and processes once again.
How can I find out if I am affected?
Based on our current knowledge, we informed those affected by e-mail. If you are not included, you are not affected.
Why do you still have my old data and why hasn't it been deleted?
The incident concerns the settings in an old folder with backup files in a cloud environment that is no longer used. Unfortunately, this made it possible to access the affected data from outside the company.
Where was the data published?
According to our findings on the Internet.
Was my data offered on the Darknet?
We as Urban Sports Club have no information on this.