Glofox Data Breach March 2020

— 2 minute read

Have you heard of a company called Glofox? Their software provides the booking system for gyms and fitness studios.

They suffered a data breach in March 2020, but haven't said much about it. Nothing I could find. Others have, however.

Glofox has not responded to media requests for comment on a possible security breach but it has, in recent days, responded to individuals on Twitter who posed questions to the company after being informed its website had been compromised.

Lame. I was under the impression that under data protection legislation, organisations must contact the appropriate body and make a public statement as soon as they have knowledge of a breach. As an Irish company, they should have reported it to the Data Protection Commission:

From 25 May 2018, the General Data Protection Regulation (GDPR) introduces a requirement for organisations to report personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals. Organisations must do this within72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to the affected individuals, organisations must also inform those individuals without undue delay.

Whoops. Did Glofox pass this responsibility on to their customers, or are they not bothered? Note the date of the Irish Times report: November 2020.

In January 2021 I was alerted to the breach thanks to a service called Have I Been Pwned. It's integrated in my password manager, 1Password.

Since the Glofox dashboard does not offer a way to delete an account, it took an email to dataprivacy@glofox.com to do so.

It's taken until May for the first spam emails to arrive at the compromised email addresses: both hawking a Norton Antivirus subscription which needs renewing. Do you think it leads to a legitimate website?

If you're going to look after personal data, get your shit together. Mistakes happen, but don't try and hide it.