H*cked! Protect Your Club From These Growing Cyber Threats


Chances are good that your club’s computers have anti-virus software installed. But what about cloud threats, or security risks from tablets and other mobile devices? Your system may be more vulnerable than you think. Check out these growing and evolving threats below.

1. Cloud Hacks

Products like iCloud, Google Drive, and Dropbox are OK for sharing files, but they fail as a way to back up anything sensitive. They’re not particularly secure and have been the subject of recent hacks. And even if those services run in super-secure data centers, the problem with all of them is that none of that security matters if the password is compromised.

Passwords, it turns out, are pretty easy to crack. The number of people who still use “password” and “abc123” is astounding.

In fact, any connection that’s protected only by a password is open to password cracking, and that’s the root of the problem.

It can be embarrassing and expose your wellness business to significant legal and financial liability if protected health information, customer accounts and purchase history, or weight loss progress data are exposed.

The best defense is a “Kevlar” multi-layered approach:

  • Use two-factor authentication when it’s available.
  • Don’t use simple, easy-to-guess passwords.
  • Use letters, numbers and special characters in your passwords. If possible, use at least one upper-case letter.
  • Use longer passwords. Entire sentences with all the letters and numbers jammed together are harder to crack because they require password cracking software to try more combinations of letters and numbers
  • Avoid auto-login mode. It’s like leaving the front door to your business open at midnight. Instead, when you use services, require manual entry of the password each time a user logs in.

2. Ransomware

Ransomware is malware, usually delivered when an employee clicks on an email link, that encrypts everything on your computer or network so that you can no longer access it. Then, a screen pops up that demands payment of a modest amount of money by a specified date, usually by Bitcoin transfer to make it hard for law enforcement officials to track. It’s basically digital extortion. Un-encrypting content on your computer or network without the encryption key is next to impossible, so most businesses end up paying the ransom to restore access.

The best defense: consistently creating data backups using tools like Mozy, iDrive, or Carbonite, and observing the usual cyber security practices that protect against phishing attacks. If you’re the victim of a ransomware attack and don’t want to pay, start over with clean hard disks and restore your files from the last uninfected backup point.

3. WiFi and Bluetooth Hacks

Accessing your health club’s management software via a mobile device often means that you’re signing in from public venues such as malls and coffee shopsThis often means open WiFi connections, network file sharing, and Bluetooth-enabled smartphones.

Did you know Bluetooth can be used for data transfer? If your Bluetooth connection is turned on, any device paired with yours can read data on your mobile device. If you’re not paired with another local device while your connection is active, you’re leaving the door open to unauthorized access by another device.

Always remember that a public WiFi connection is just that — public. If you can access the connection, so can other people. If you’re not logging in through a secure access point, you’re making your info available to anyone who wants to pluck it out of the airwaves.

Plus, anyone can name a wireless network whatever they want. Hackers will give a seemingly trustworthy name to a wireless access point to trick people into using it with confidence. For example, they might set up a wireless network in a business district near a health club and call it “Health Club,” hoping to pick up sensitive financial or business information.

Here’s what you can do:

  • To protect your own information, avoid non-secure and public connections. If you must office in such an area, limit your business to a short period of time and don’t use the connection to send anything important like bank account data or protected health information.
  • Require a device login password and remote access passwords, and avoid auto-login mode.
  • Turn off Bluetooth when you’re not using it.
  • If you must office in a public place, set up your system to require a password at login AND to access files remotely… don’t “Share All” just to make your files easier for a business partner to access, because if it’s easy for them, it’s easy for EVERYONE.

To protect your members:

  • Publicize the name of your free in-house WiFi network so that they know what to look for.
  • Require a password for your complimentary WiFi network.
  • Periodically check the list of available devices using your own phone or tablet just to make sure nothing sketchy shows up in the list.

And if you’re talking about business in a public place, keep your voice down! My $4 latte is a cheap price to pay for overhearing your business plan for supplement distribution, franchising, or club operations.

4. Reputational Attacks

It’s one thing to deal with an angry customer in your gym or wellness center.  It’s another thing entirely to witness your fitness business’s reputation get dragged through the mud by a competitor or even an unethical investor who wants to drive your share price down.

Malicious reputational attacks typically involve a seemingly angry customer who posts diatribes about your business on every available channel.

How can you tell whether these complaints are coming from legitimate customers? Look for evidence that the person has been a member in the past or has bought class cards or other services from you. Is there any aspect of their identity that you can confirm on your end? Do they have a history of activity in the channels where they’re posting, or are all of their posts related just to your buisness?

If it really is an angry customer, ask them politely if when you correct the problem to their satisfaction, they might consider taking down the angry Facebook, blog post, or forum post, or at least explaining to others how you resolved things to their satisfaction.

If it’s not a real customer, and the attacks are unrelenting and causing demonstrable damage to your business, contact your attorney to discuss next steps. You may be able to use the courts to discover who’s behind these attacks and eventually stop them, although it won’t be quick, easy or cheap.

5. Malicious Social Attacks

Malicious social attacks are on the upswing. These attacks include unauthorized use or hijacking of social media accounts, content attacks, and redirection or misdirection to bogus sites.

Signs your business’s social media may be under attack include:


  • Login failures (indicating someone else is using your account and has changed the password)
  • Location-aware posts… made 1000 miles away from your current location
  • Dozens or hundreds of posts, likes, thumbs-ups, or emoticons, often delivered in rapid succession through Facebook messaging, your business’s Facebook wall, or your Twitter feed
  • Posts by people you didn’t invite to your group, who belong to hundreds of groups, have thousands of friends, or Like random sites with no particular connection to yours

What can you do?

  • If you receive what appears to be a Facebook invitation to Like a post, Friend someone, or join a group, do it directly from your Facebook account, not from the email containing the invitation, which may not have come from Facebook at all.
  • Before accepting a friend request, log in separately to your social media account and search for the user. If they have common friends or interests and they appear to be a real person, consider accepting the request; otherwise, ignore or delete the invitation.
  • When a stranger’s post contains a link to another site, search for references to the site in your browser without actually visiting the site. Confirm that the site is legitimate before visiting.
  • Change your social media passwords periodically and use secure passwords.
  • Delete posts that appear to be suspect or malicious.
  • Block and report suspect users.

More About Cyber Threats

Read about more cyber threats facing health and wellness businesses.