A data subset of the consumers managed by digital fitness tracking platform FitMetrix may have been publicly breached online, MINDBODY confirmed with Club Industry on Oct. 11. No personal health data or account credentials were exposed, the company said, and FitMetrix's data sets have since been re-secured.
MINDBODY, San Luis Obispo, California, purchased Atlanta-based FitMetrix in February 2018 for an undisclosed amount.
"Current indications are that this data included a subset of the consumers managed by FitMetrix ... and did not include any login credentials, passwords, credit card information or personal health information," Jason Loomis, MINDBODY's chief information security officer, told Club Industry. "MINDBODY takes the privacy and security of our customer and consumer data seriously, and we will leverage this incident to continuously improve our security posture."
On Oct. 5, security researcher Bob Diachenko alleged he found three unprotected FitMetrix servers that were exposing consumer data such as users' names, genders, email addresses, phone numbers and primary workout locations. Diachenko refuted Loomis' statement about the exposure of personal health information, according to an Oct. 11 report by TechCrunch, which claims that data regarding weight, height and shoe size was publicly uncovered.
Loomis told Club Industry that MINDBODY took "immediate steps" to close all vulnerabilities within the FitMetrix platform.
"FitMetrix’s powerful and intuitive tools help our customers drive results and retention while providing their clients with a fun and unique approach to fitness,” MINDBODY CEO Rick Stollmeyer said of FitMetrix in a Feb. 20 media release. “Interactive engagement is the future of fitness, and we see some of our most successful customers integrating performance tracking technology into their studios.”
MINDBODY recently reported 40 percent growth in its 2018 second quarter revenue.