Town Sports International, the parent company of New York Sports Clubs and Christi’s Fitness gyms, is mopping up after a security lapse exposed customer data.
Security researcher Bob Diachenko received a tip from a contact, Sami Toivonen, about an unprotected server containing almost a terabyte of spreadsheets representing years of internal company data, including financial records and personal customer records. But because there was no password on the server, anyone could access the files inside.
The server was exposed for almost a year, Diachenko told TechCrunch.
Town Sports pulled the server offline a short time after Diachenko contacted the company. He shared his findings exclusively with TechCrunch, which independently verified the authenticity of the data by confirming details found in the spreadsheets with customers.
Spreadsheets found on the server contained customer names, postal addresses, email addresses, and phone numbers. The data also contained when a customer…